11-11-2015 10:23 AM
Dear all,
we are running an PI AEX (AS Netweaver Java 7.4) and I recently heard about this vulnerability: What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vuln...
I did a quick search in the Java Class Loader View from PIs NWA and did not find any Apache Library there. But as I would consider myself far from a J2EE expert I might easily looking in the wrong place.
So my questions are:
Many thanks and kind regards
Jens
01-14-2016 12:14 PM
11-23-2015 2:49 PM
11-26-2015 11:06 AM
11-26-2015 11:12 AM
Hi,
SAP has provided the following reply:
"SAP has received information about security deficiencies in some java
classes used in deserialization, used in a number of software products
of different vendors. These deficiencies are referred to under the
name of "java deserialization vulnerability#. Currently, this
vulnerability has been identified in some of the commonly used open
source libraries (Apache Groovy [CVE-2015-3253] and Apache Commons
Collections). SAP security teams are in the process of investigating
if SAP products are affected by the reported vulnerability.
SAP takes any security-related report very seriously. We will notify
our customers appropriately as relevant new information on this topic
becomes available.
We take the opportunity to remind you to increase the security of
your SAP systems by installing the available security patches.
For information on SAP's security notes and patches, please refer to -
https://support.sap.com/securitynotes "
Best regards,
Aleksi
11-26-2015 11:50 AM
01-14-2016 12:14 PM
02-17-2016 1:20 PM
Especially http://service.sap.com/sap/support/notes/2246851 seems to be relevant for PI, maybe this one for Wily, too http://service.sap.com/sap/support/notes/2262104