08-12-2011 4:43 PM
I am doing research on this article from the Black Hat Conference:
A researcher has discovered a critical set of security vulnerabilities that afflicts more than half of SAP servers on the Internet.
What is the flaw? How can it be exploited? Are there any band aids? What exactly can be done w/ a flaw? Does something need to be enabled within NetWeaver to exploit the flaw, if so is that feature enabledu2026 Can we exploit it on in our internal environment to test it?
From SAP they have sent out notes 1616259 1589525 indicating that SAP is in close contact with the presenter of this u201CFlawu201D.
Is this something in the portal security design?
We are currently on Netweaver 7.11 SP3
Netweaver 7.01 SP6
08-13-2011 2:35 AM
All the answers to your questions are, at this time, only in that two notes: 1616058 and 1589525. Have you already readed the notes? Seems not as for what you are answering...
On other hand, the researcher Alexander Polyakov said they will not disclose details until 90 days after the patch were released.
Both reasearchers Alexander Polyakov from Digital Security Research Group and Mariano Nuñez Di Croce from Onapsis are in contact with SAP as SAP said in SCN "Acknowledgments to Security Researchers" web page.
Best regards.
Edited by: Raúl Batista on Aug 13, 2011 3:36 AM
Edited by: Raúl Batista on Aug 13, 2011 3:43 AM
08-13-2011 2:35 AM
All the answers to your questions are, at this time, only in that two notes: 1616058 and 1589525. Have you already readed the notes? Seems not as for what you are answering...
On other hand, the researcher Alexander Polyakov said they will not disclose details until 90 days after the patch were released.
Both reasearchers Alexander Polyakov from Digital Security Research Group and Mariano Nuñez Di Croce from Onapsis are in contact with SAP as SAP said in SCN "Acknowledgments to Security Researchers" web page.
Best regards.
Edited by: Raúl Batista on Aug 13, 2011 3:36 AM
Edited by: Raúl Batista on Aug 13, 2011 3:43 AM
08-15-2011 12:22 PM
Whitepaper on which a presentation "A crushing blow at the heart of SAP J2EE Engine" from BlackHat USA 2011 was based -
<a href='http://erpscan.com/wp-content/uploads/2011/08/A-crushing-blow-at-the-heart-SAP-J2EE-engine_whitepaper.pdf'>A crushing blow at the heart SAP J2EE engine whitepaper</a>
presentation itself - <a href='http://erpscan.com/wp-content/uploads/2011/08/A_crushing_blow_at_the_heart_of_SAP_J2EE_Engine.pdf'>A crushing blow at the heart of SAP J2EE Engine</a>
The tool will be published soon at erpscan.com