Security Holes Discovered In SAP NetWeaver Web App Platfrom

Cyber security vulnerabilities have been discovered in several components of SAP’s NetWeaver platform by security firm Positive Technologies.

The flaws in NetWeaver, which acts as an interoperable platform for building web-based apps that integrate business processes and databases from numerous sources, were found to enable hackers to carry out activities that could potentially lead to the compromise of a company’s IT systems.

Cross-site scripting (XSS) vulnerabilities were found in the SAP Enterprise Portal Navigation (CVSSv3 score 6.1) and SAP Enterprise Portal Theme Editor (three flaws with CVSSv3 scores 5.4, 6.1, and 6.1). While a vulnerability that enables arbitrary file upload was found in SAP’s NetWeaver Log Viewer.

SAP NewWeaver woes

The XSS flaws opens up the components of SAP Enterprise Portal to attackers, who could use them to gain access to a user’s session tokens, login credentials, and other sensitive browser information. From there Positive Technologies noted an attacker could perform arbitrary actions on the victim’s behalf, rewrite HTML page content and intercept keystrokes.

With the NetWeaver Log Viewer flaw, the consensuses of a successful cyber attack are even worse as a file upload could compromise an entire targeted systems or database as arbitrary code can be uploaded and executed on a server, rather than an isolated system, leading to attacks on back-end systems, such as database platforms like SAP’s own HANA.

“Large companies all over the world use SAP to manage financial flows, product lifecycle, relationships with vendors and clients, company resources, procurement, and other critical business processes. It is vital to protect the information stored in SAP systems as any breach of confidential information could have a devastating impact on the business.” said Dmitry Gutsko, head of the business system security unit at Positive Technologies.

Users of the NetWeaver 7.31 are advised to ensure their system has the latest update and use tool certified for integration with SAP NetWeaver.

While a patch may take care of the flaws, the security holes are not great for SAP’s reputation, especially since it had to recently rush to squash security bugs in its HANA database platform.

Quiz. Are you a security guru?