Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Portal J2EE engine u201Cflawu201D discover at the recent Black Hat Conference

Go to solution
Larrym_mcc47
Explorer

‎08-12-2011 4:43 PM

0 Kudos

I am doing research on this article from the Black Hat Conference:

A researcher has discovered a critical set of security vulnerabilities that afflicts more than half of SAP servers on the Internet.

What is the flaw? How can it be exploited? Are there any band aids? What exactly can be done w/ a flaw? Does something need to be enabled within NetWeaver to exploit the flaw, if so is that feature enabledu2026 Can we exploit it on in our internal environment to test it?

From SAP they have sent out notes 1616259 1589525 indicating that SAP is in close contact with the presenter of this u201CFlawu201D.

Is this something in the portal security design?

We are currently on Netweaver 7.11 SP3

Netweaver 7.01 SP6

1 ACCEPTED SOLUTION

Go to solution
former_member479619
Member

‎08-13-2011 2:35 AM

0 Kudos

All the answers to your questions are, at this time, only in that two notes: 1616058 and 1589525. Have you already readed the notes? Seems not as for what you are answering...

On other hand, the researcher Alexander Polyakov said they will not disclose details until 90 days after the patch were released.

Both reasearchers Alexander Polyakov from Digital Security Research Group and Mariano Nuñez Di Croce from Onapsis are in contact with SAP as SAP said in SCN "Acknowledgments to Security Researchers" web page.

Best regards.

Edited by: Raúl Batista on Aug 13, 2011 3:36 AM

Edited by: Raúl Batista on Aug 13, 2011 3:43 AM

2 REPLIES 2

Go to solution
former_member479619
Member

‎08-13-2011 2:35 AM

0 Kudos

All the answers to your questions are, at this time, only in that two notes: 1616058 and 1589525. Have you already readed the notes? Seems not as for what you are answering...

On other hand, the researcher Alexander Polyakov said they will not disclose details until 90 days after the patch were released.

Both reasearchers Alexander Polyakov from Digital Security Research Group and Mariano Nuñez Di Croce from Onapsis are in contact with SAP as SAP said in SCN "Acknowledgments to Security Researchers" web page.

Best regards.

Edited by: Raúl Batista on Aug 13, 2011 3:36 AM

Edited by: Raúl Batista on Aug 13, 2011 3:43 AM

Go to solution
Former Member
In response to former_member479619

‎08-15-2011 12:22 PM

0 Kudos

Whitepaper on which a presentation "A crushing blow at the heart of SAP J2EE Engine" from BlackHat USA 2011 was based -

<a href='http://erpscan.com/wp-content/uploads/2011/08/A-crushing-blow-at-the-heart-SAP-J2EE-engine_whitepaper.pdf'>A crushing blow at the heart SAP J2EE engine whitepaper</a>

presentation itself - <a href='http://erpscan.com/wp-content/uploads/2011/08/A_crushing_blow_at_the_heart_of_SAP_J2EE_Engine.pdf'>A crushing blow at the heart of SAP J2EE Engine</a>

The tool will be published soon at erpscan.com