Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security The Internet Businesses Government Privacy Software News

Attackers Targeting Critical SAP Flaw Since 2013 (threatpost.com) 57

msm1267 quotes a report from Threatpost: Three dozen global enterprises have been breached by attackers who exploited a single, mitigated vulnerability in SAP business applications. The attacks were carried out between 2013 and are ongoing against large organizations owned by corporations in the United States, United Kingdom, Germany, China, India, Japan, and South Korea, spanning 15 critical industries, researchers at Onapsis said today. [The DHS-sponsored CERT at the Software Engineering Institute at Carnegie Mellon University also published an alert this morning, the first in its history for SAP applications.] The severity of these attacks is high and should put other organizations on notice that are running critical business processes and data through SAP Java apps. The issue lies in the Invoker Servlet, which is part of the standard J2EE specification and enables developers to test custom Java applications. When it is enabled, developers and users can call these servlets over the Internet directly without authentication or authorization controls. Attackers, however, can take advantage of this same functionality to exploit these business critical systems.
This discussion has been archived. No new comments can be posted.

Attackers Targeting Critical SAP Flaw Since 2013

Comments Filter:
  • J2EE? (Score:4, Informative)

    by viperidaenz ( 2515578 ) on Thursday May 12, 2016 @05:26AM (#52096965)

    Standard J2EE or an old Tomcat feature?

    org.apache.catalina.servlets.InvokerServlet

    It needs to be explicitly enabled to be active.

    • Re: (Score:3, Interesting)

      by Sique ( 173459 )
      It's the Standard J2EE feature. Its description is here: SAP: Invoker Servlet [sap.com].
      • Re:J2EE? (Score:5, Informative)

        by robmv ( 855035 ) on Thursday May 12, 2016 @07:56AM (#52097443)

        The invoker servlet and its default mapping /servlet/* isn't present in old nor current specs. It is not a JEE standard or was. It was a feature many JEE containers copied mainly because Tomcat at that time was the reference implementation (The invoker servlet class was on the tomcat package namespace not on the javax.servet one) , a very bad idea. It is not present in modern containers.

        Since 2002 [marc.info] is known that having it enabled was a bad idea. But you know, enterprise software is badly updated.

      • Just because SAP uses Tomcat or something that copies it, doesn't mean it's part of the J2EE spec.

        Here's a clue: the link you provided is sap.com, not oracle.com, java.com or java.net

        If you want to see the entire J2EE servlet spec, look at the java classes in javax.servlet.*

        How did you get modded up? You're completely wrong.

  • by Anonymous Coward on Thursday May 12, 2016 @05:41AM (#52096995)

    It's not like anyone can actually locate information in SAP in the first place. Could take decades for an outsider to figure out a business relationship, or the companies cost for something when you include the lag time for a simple query.

  • Or that what we were being told a few days ago. How could a VM based language like java have exploits?? VMs are the future, right?

    [/sarcasm]

  • by jools33 ( 252092 ) on Thursday May 12, 2016 @06:08AM (#52097077)

    SAP patched this problem back in 2010, and issued security notes for it made available to all its customers, and notified them all. The problem here is that some customers don't pay attention to their security notices and carry on regardless.

    • by Anonymous Coward

      So if I work for a business that uses SAP, is there a way for me to find out if it's patched and if my personal information is safe?

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Without access to the system? Doubtful. SAP Netweaver Application Server Java (NW AS JAVA) will only disclose the version numbers of the different components on it if you have the right to view the system information page on its own or within the Netweaver Administrator (NWA), which requires membership in a particular group or a particular role to be assigned to your user. And usually there are a variety of systems throughout the landscape.

        If an administrator uses SAP Solution Manager and uses the system re

        • by OzPeter ( 195038 )

          Also, just to point out GP's point- SAP patched this in 2010. You would have to be at a customer that didn't implement support packs on a system for more than five years.

          Never having used SAP, is the system such that a "If it ain't broke, don't fix it" mentality exists? Or in other words does SAP have a history of borking updates?

          • Re: (Score:3, Informative)

            by Anonymous Coward

            Depends on the customer and while enterprise software has longer support lifecycles, changes can and sometimes do brick things. Most SAP customers try to be at least proactive on security patches for obvious reasons.

            Even patchlevels within an SAP support pack level can break things. It's not common, but when you change the way a method works to secure it, a dependent program or call might not work. This is why you generally have at least a two tier landscape (development & production) and usually a 3-ti

          • by sapped ( 208174 )
            I work with SAP on a daily basis (hence my nickname) and there are some updates that will break stuff. Luckily this is preventable by pushing the update into your DEV system and then onwards into the QAS system prior to slamming it into PROD. There are some cowboys out there that will slam an SAP hotpack straight into PROD but if you're dealing with one of those guys you have bigger problems anyway.
      • by neilo_1701D ( 2765337 ) on Thursday May 12, 2016 @08:33AM (#52097645)

        So if I work for a business that uses SAP, is there a way for me to find out if it's patched and if my personal information is safe?

        Maybe. Send Another Payment and we'll open a support case with your partner. Once we have the signed work order, we get agrement on the scope of the work and begin.

        And remember: Send Another Payment.

    • SAP helps customers create customizations that may be broken by patches later. Whose fault is that?

    • I just patched an SAP server last week that hadn't been offline since early 2010.

      I wasn't patching SAP.

    • by Anonymous Coward

      SAP patched this problem back in 2010, and issued security notes for it made available to all its customers, and notified them all. The problem here is that some customers don't pay attention to their security notices and carry on regardless.

      More likely they looked at the security issue, then looked at the cost and time estimates from the consultants to patch their systems running into the hundreds of thousands and weeks of testing and maintenance then said to themselves "fuck it, I'll take my chances."

    • by EvilSS ( 557649 )
      Or they are just too scared to upgrade. I run into this all the time. There is a "if it ain't completely broke and on fire, don't touch it" mentality in corporate IT, especially when it comes to big line of business technologies like ERP. The idea of a upgrade or even a patch scares the crap out of them because if it fails, the business can stall waiting for it to be fixed. All the while the exec are raining hell down on the IT staff.
      • The idea of a upgrade or even a patch scares the crap out of them because if it fails, the business can stall waiting for it to be fixed.

        If they apply patches straight into production they don't deserve to be in business.

  • Sooooo (Score:2, Interesting)

    by Kokuyo ( 549451 )

    Let me get this straight: Does that mean someone at SAP just left a debug option turned on that essentially is a big honking barn door to the internet?

    I see an outcry of epic proportions coming where some schmuck gets fired and nobody of value (meaning CxOs) gets into trouble.

    • by Anonymous Coward

      I see an outcry of epic proportions coming where some schmuck gets fired and nobody of value (meaning CxOs) gets into trouble.

      I doubt it. SAP provided patches to the relevant components (ENGINEAPI, SAP J2EE ENGINE CORE, etc.) in 2010. You basically have to have failed in not only applying any new major release of SAP, but any recent support packs or patchlevels within older support packs for more than give years.

  • by Anonymous Coward

    I came here to see the comment that answers what 'between 2013' means. I am surprised that no one is nitpicking this yet. Where did all the grammar nazis go !?

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...