Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP AS Java affected from commons-collection vulnerability?

Go to solution
JaySchwendemann
Active Contributor

‎11-11-2015 10:23 AM

0 Kudos

Dear all,

we are running an PI AEX (AS Netweaver Java 7.4) and I recently heard about this vulnerability: What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vuln...

I did a quick search in the Java Class Loader View from PIs NWA and did not find any Apache Library there. But as I would consider myself far from a J2EE expert I might easily looking in the wrong place.

So my questions are:

  1. Do you know if the SAP Netweaver AS Java might be affected
  2. How should I check, e.g. where to do that "grep" the above link mentioned

Many thanks and kind regards

Jens

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎01-14-2016 12:14 PM

0 Kudos

Hi,

Some SAP Notes have already been released related to this. Please search for "java serialization vulnerability".

Best regards,

Aleksi

6 REPLIES 6

Go to solution
Former Member

‎11-23-2015 2:49 PM

0 Kudos


Hi, Jens!

Have you received any confirmation for this?

Best regards,

Aleksi

Go to solution
JaySchwendemann
Active Contributor
In response to Former Member

‎11-26-2015 11:06 AM

0 Kudos

No, unfortunately not. Considering opening an incident for this to get some information.

Will keep this thread updated then.

If anybody else has information about this, please feel free to add here.

Cheers

Jens

Go to solution
Former Member
In response to Former Member

‎11-26-2015 11:12 AM

0 Kudos

Hi,

SAP has provided the following reply:

"SAP has received information about security deficiencies in some java

classes used in deserialization, used in a number of software products

of different vendors. These deficiencies are referred to under the

name of "java deserialization vulnerability#. Currently, this

vulnerability has been identified in some of the commonly used open

source libraries (Apache Groovy [CVE-2015-3253] and Apache Commons

Collections). SAP security teams are in the process of investigating

if SAP products are affected by the reported vulnerability.

  SAP takes any security-related report very seriously. We will notify

our customers appropriately as relevant new information on this topic

becomes available.

  We take the opportunity to remind you to increase the security of

your SAP systems by installing the available security patches.

For information on SAP's security notes and patches, please refer to -

https://support.sap.com/securitynotes "

Best regards,

Aleksi

Go to solution
JaySchwendemann
Active Contributor
In response to Former Member

‎11-26-2015 11:50 AM

0 Kudos

Great, thanks for sharing. Would be great if you update this thread if SAP is directly updating you with some information (maybe you opened an incident for this?)

Anyways we'll have to wait and see the outcome of this.

Cheers

Jens

Go to solution
Former Member

‎01-14-2016 12:14 PM

0 Kudos

Hi,

Some SAP Notes have already been released related to this. Please search for "java serialization vulnerability".

Best regards,

Aleksi

Go to solution
JaySchwendemann
Active Contributor
In response to Former Member

‎02-17-2016 1:20 PM

0 Kudos

Especially http://service.sap.com/sap/support/notes/2246851 seems to be relevant for PI, maybe this one for Wily, too http://service.sap.com/sap/support/notes/2262104