HomeResearchSecurity Advisories

Onapsis Latest Publications


SAP Security In-Depth Vol.4

Read Case Study


Westinghouse Electric

The Onapsis Research Labs is continuously researching in the security of different business-critical solutions in order to better understand the involved risks and provide our customers with novel and high quality information to protect and assess their business technological environments. This research is also shared with the community, in the form of security advisories that describe the detected vulnerabilities.


Title Date
ONAPSIS-2010-004: SAP J2EE Authentication Phishing Vector

By exploiting this vulnerability, an internal or external attacker would be able perform attacks on the Organization's users through weaknesses in the SAP system. An attacker would send specially crafted emails to users of the Organization's SAP system. After they have been successfully authenticated by the application, they would be redirected to an attacker's controlled web site where he would be able toperform different attacks over their systems and/or trick them into providing sensitive information.

2010-02-10
ONAPSIS-2010-005: SAP J2EE Telnet Administration Security Check Bypass

By exploiting this vulnerability, an internal or external attacker would be able to retrieve sensitive technical information from the SAP J2EE system. This information can be used to replay authentication credentials and perform sensitive operations over the SAP landscape, possibly taking remote control of the affected systems.

2010-06-16
ONAPSIS-2010-006: SAP J2EE Web Services Navigator Cross-Site Scripting

By exploiting this vulnerability, an internal or external attacker would be able perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them.

2010-07-13
ONAPSIS-2010-007: SAP Management Console Multiple Denial of Service

By exploiting this vulnerability, an unauthenticated internal or external attacker would be able remotely disrupt the main management interface of the Organization's SAP systems. This would result in the impossibility of performing remote maintenance of the SAP landscape, forcing administrators to invest effort into restoring the system to its original state.

2010-09-22
ONAPSIS-2010-001: SAP WebAS Integrated ITS Remote Code Execution

By exploiting this vulnerability, an internal or external attacker would be able execute arbitrary remote commands over vulnerable SAP Web Application Servers, taking complete control of the SAP system. With these privileges, he would be able to obtain, create, modify and/or delete any business related information stored in the vulnerable SAP system.

2010-01-19
ONAPSIS-2010-002: SAP J2EE Engine MDB Path Traversal

By exploiting this vulnerability, an internal or external attacker would be able to access arbitrary files located in the SAP Server file-system. With this access, he would be able to obtain sensitive technical and business related information stored in the vulnerable SAP system.

2010-02-10
ONAPSIS-2010-003: SAP WebDynpro Runtime XSS/CSS Injection

By exploiting this vulnerability, an internal or external attacker would be able perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through complex social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them.

2010-02-10
ONAPSIS-2010-008: Oracle Virtual Server Agent Arbitrary File Access

By exploiting this vulnerability, an authenticated attacker would be able to remotely compromise the OVS server, together with all the virtual machines configured on it. This would result in the compromise of integrity, availability and confidentiality of every virtual machine deployed in the OVS server.

2010-11-02
ONAPSIS-2010-009: Oracle Virtual Server Agent Remote Command Execution

By exploiting this vulnerability, an authenticated attacker would be able to remotely compromise the OVS server, together with all the virtual machines configured on it. This would result in the compromise of integrity, availability and confidentiality of every virtual machine deployed in the OVS server.

2010-11-02
ONAPSIS-2011-008: Oracle JD Edwards JDENET CallObjectKernel Remote Command Execution

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure.

2011-04-27
ONAPSIS-2011-016: SAP WebAS Malicious SAP Shortcut Generation

By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them.

2011-09-14
ONAPSIS-2011-014: SAP WebAS Remote Denial of Service

By exploiting this vulnerability, an unauthenticated attacker would be able to remotely disrupt the SAP Application Server. This would result in the total unavailability of the ERP functionality, preventing company users from performing the required business processes.

2011-09-14
ONAPSIS-2011-015: SAP WebAS webrfc Cross-Site Scripting

By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them.

2011-09-14
ONAPSIS-2011-012: Oracle JD Edwards JDENET Firewall Bypass

By exploiting this vulnerability, a remote unauthenticated might be able to connect to the ERP system, bypassing weak network firewall configurations. This might result in obtaining remote access to the ERP system, even though this access was supposed to be restricted to internal networks.

2011-04-27
ONAPSIS-2011-013: Oracle JD Edwards JDENET USRBROADCAST Denial of Service

By exploiting this vulnerability, an unauthenticated attacker would be able to remotely disrupt the JD Edwards server. This would result in the total unavailability of the ERP functionality, preventing company users from performing the required business processes.

2011-04-27
ONAPSIS-2011-010: Oracle JD Edwards JDENET Remote Logging Deactivation

By exploiting this vulnerability, a remote unauthenticated attacker would be able to disable logging capabilities in the JD Edwards server. This could result in malicious activities becoming untraceable on the ERP Server.

2011-04-27
ONAPSIS-2011-011: Oracle JD Edwards JDENET Buffer Overflow

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure.

2011-04-27
ONAPSIS-2012-008: Oracle JD Edwards Security Kernel Information Disclosure

By exploiting this vulnerability, a remote unauthenticated attacker might be able to validate user credentials to access the ERP system. This would represent valuable information to perform more complex attack to the ERP system.

2012-02-23
ONAPSIS-2010-010: Oracle Virtual Server Agent Local Privilege Escalation

By exploiting this vulnerability, a local authenticated attacker would be able to remotely compromise the OVS server, together with all the virtual machines configured on it. This would result in the compromise of integrity, availability and confidentiality of every virtual machine deployed in the OVS server.

2010-11-02
ONAPSIS-2012-002: Oracle JD Edwards Security Kernel Remote Password Disclosure

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure.

2012-02-23
ONAPSIS-2012-003: Oracle JD Edwards SawKernel Arbitrary File Read

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access arbitrary files hosted on the ERP system. This would result in the total compromise of the ERP infrastructure.

2012-02-23
ONAPSIS-2012-001: Oracle JD Edwards JDENET Arbitrary File Write

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in a full compromise of the ERP infrastructure.

2012-02-23
ONAPSIS-2012-006: Oracle JD Edwards JDENET Large Packets Denial of Service

By exploiting this vulnerability, a remote unauthenticated attacker might trigger a denial of service on the JDENET service. This would result in the unavailability of most of the ERP services.

2012-02-23
ONAPSIS-2012-007: Oracle JD Edwards SawKernel SET_INI Configuration Modification

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure.

2012-02-23
ONAPSIS-2012-004: Oracle JD Edwards SawKernel GET_INI Information Disclosure

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure.

2012-02-23
ONAPSIS-2012-005: Oracle JD Edwards JDENET Multiple Information Disclosure

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access technical information of the ERP system This might result in the disclosure of technical information that might be useful in further attacks to the ERP infrastructure.

2012-02-23
ONAPSIS-2011-009: Oracle JD Edwards JDENET SawKernel Remote Password Disclosure

By exploiting this vulnerability, a remote unauthenticated attacker might be able to obtain valid access credentials and access or modify all the business information processed by the ERP system. This would result in the total compromise of the ERP infrastructure.

2011-04-27
ONAPSIS-2013-006: SAP SMD Agent Code Injection

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the SAP infrastructure.

2013-02-21
ONAPSIS-2013-005: SAP CCMS Agent Code Injection

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the SAP infrastructure.

2013-02-21
ONAPSIS-2013-004: SAP J2EE Core Service Arbitrary File Access

By exploiting this vulnerability, a remote unauthenticated attacker might be able to access or modify all the business information processed by the ERP system. This would result in the total compromise of the SAP infrastructure.

2013-02-21
ONAPSIS-2013-003: SAP Enterprise Portal Cross-Site-Scripting

By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through complex social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them.

2013-02-21
ONAPSIS-2013-002: SAP SDM Denial of Service

By exploiting this vulnerability, an attacker would be able to perform a sabotage attack over the service used to deploy and change software components in the SAP AS Java. This would prevent legitimate developers and administrators from performing and maintain required business and technical activities.

2013-02-21
ONAPSIS-2013-001: SAP Portal PDC Information Disclosure

By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through the exploitation of vulnerabilities in their systems.

2013-02-21
ONAPSIS-2011-001: SAP Management Console Unauthenticated Service Restart

By exploiting this vulnerability, an anonymous internal or external attacker would be able remotely disrupt the main management interface of the Organization's SAP systems. This would result in the impossibility of performing remote maintenance of the SAP landscape, forcing administrators to invest effort into restoring the system to its original state.

2011-01-04
ONAPSIS-2011-003: SAP WebAS ITS Mobile Start Service Multiple Vulnerabilities

By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive informationfrom legitimate users through social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them.

2011-04-14
ONAPSIS-2011-002: SAP Management Console Information Disclosure

Abusing this functionality, a remote and unauthenticated attacker would be able to gain sensitive information from an SAP System. This information would help him in the process of compromising the security of the SAP server through more advanced attacks.

2011-01-04
ONAPSIS-2011-005: SAP Enterprise Portal Path Disclosure

By exploiting this vulnerability, an internal or external attacker would be able to obtain sensitive technical information from a vulnerable SAP Enterprise Portal system, which can be highly useful in the next phases of his attacks.

2011-04-14
ONAPSIS-2011-004: SAP WebAS ITS Mobile Test Service Multiple Vulnerabilities

By exploiting this vulnerability, an internal or external attacker would be able to perform attacks on the Organization's users through weaknesses in the SAP system. Upon a successful exploitation, he would be able to obtain sensitive information from legitimate users through social engineering attacks and/or exploit vulnerabilities in their systems in order to take control of them.

2011-04-14
ONAPSIS-2011-007: Oracle JD Edwards JDENET Kernel Shutdown Denial of Service

By exploiting this vulnerability, an unauthenticated attacker would be able to remotely shutdown the JD Edwards server. This would result in the total unavailability of the ERP functionality, preventing company users from performing the required business processes.

2011-04-27
ONAPSIS-2011-006: Oracle JD Edwards JDENET Kernel Denial of Service

By exploiting this vulnerability, an unauthenticated attacker would be able to remotely block certain functions of the JD Edwards server. This would result in the unavailability of certain services running in the JD Edwards server. These services are not critical for the common operation of the system.

2011-04-27
ONAPSIS-2014-002: SAP Security Audit Log Privilege Escalation

By exploiting this vulnerability, a remote attacker might be able to modify or permanently delete the log classes from the Security Audit Log facility.

2014-03-09
ONAPSIS-2014-003: SAP Business Object Framework for ABAP Hard-coded credentials

SAP BOPF for ABAP contains hard-coded credentials which could allow an attacker to extract data which access should be restricted.

2014-03-09
ONAPSIS-2014-004: SAP Print and Output Management Hard-coded credentials

SAP Print and Output contains hard-coded credentials which could allow an attacker to extract data which access should be restricted.

2014-03-09
ONAPSIS-2014-001: SAP HANA host names Information Disclosure

By exploiting this vulnerability, a remote unauthenticated attacker could send a specially crafted malformed HTTP GET request to the HANA ICM process to obtain sensitive information such as the platform version, host name and instance number.

2014-01-07
ONAPSIS-2013-013: SAP BI Universal Data Integration SQL injection

By exploiting this vulnerability, a remote unauthenticated attacker would be able to execute arbitrary SQL queries over the J2EE schema with the objective of accessing and modifying all the business information processed by the ERP system. This would result in the total compromise of the SAP system.

2013-11-08
ONAPSIS-2013-012: SAP CCMS/Database Monitors for Oracle Information Disclosure

By exploiting this vulnerability, an attacker who has previously compromised the SAP system would be able to retrieve the database password in order to elevate his/her level of privileges over the affected system.

2013-08-08
ONAPSIS-2013-010: SAP J2EE Engine Configuration Service Authentication Information Disclosure

By exploiting this vulnerability a remote unauthenticated attacker would be able to retrieve access credentials and ultimately compromise the SAP system and all the business-related information stored in it.

2013-07-02
ONAPSIS-2013-011: SAP Guided Procedures Archive Monitor Information Disclosure

By exploiting this vulnerability, a remote unauthenticated attacker would be able to discover identity information such as usernames, roles and profiles on the system and target his attack based on this information.

2013-07-02
ONAPSIS-2013-009: SAP Mobile Infrastructure Information Disclosure

By exploiting this vulnerability, a remote, unauthenticated attacker can abuse the vulnerable functionalities in order to perform an internal port scanning of the application server.

2013-06-05
ONAPSIS-2013-008: SAP CMS/CM Services Directory Traversal

By exploiting this vulnerability an attacker could upload arbitrary files to any location on the web server. This could result in total compromise of business-critical information contained in the server.

2013-05-11
ONAPSIS-2013-007: SAP adminadapter Arbitrary File Read-Write

By exploiting this vulnerability a remote unauthenticated attacker would be able to completely compromise the SAP system and any information processed and stored in that system.

2013-03-27
ONAPSIS-2014-005: Information Disclosure in SAP SLM

By exploiting this vulnerability a remote unauthenticated attacker would be able to obtain technical information that could be used to perform more sophisticated attacks.

2014-04-28
ONAPSIS-2014-006: SAP Background Processing RFC Missing Authorization Check

By exploiting this vulnerability a remote authenticated attacker would be able to perform activities for which he is not authorized.

2014-04-28
ONAPSIS-2014-007: SAP Profile Maintenance RFC Missing Authorization Check

By exploiting this vulnerability a remote authenticated attacker would be able to perform activities for which he is not authorized.

2014-04-28
ONAPSIS-2014-008: SAP NW Portal WD Integration Information Disclosure

By exploiting this vulnerability a remote unauthenticated attacker would be able to retrieve sensitive information from the remote SAP system and use that information to leverage his / her privileges in the affected system.

2014-04-28
ONAPSIS-2014-009: SAP BASIS Missing Authorization Check

By exploiting this vulnerability an authenticated attacker will be able to abuse of functionality that should be restricted with the objective to leverage his / her privileges over the affected system.

2014-04-28
ONAPSIS-2014-010: SAP Business Objects InfoView Reflected Cross Site Scripting

A reflected Cross-Site scripting vulnerability exists in the InfoView application. An attacker could send a link to a victim that when clicked on could compromise their account.

2014-04-28
ONAPSIS-2014-011: SAP PS-ST and Project-Oriented Procurement Hard-coded credentials

SAP Project System Structures and Project-Oriented Procurement contains hard-coded username which could allow a user to access functions or information that should be restricted.

2014-06-06
ONAPSIS-2014-012: SAP XX-CSC-BR Hard-coded Credentials

SAP Brazil Specific Add-On contains hard-coded username which could allow a user to access functions or information that should be restricted.

2014-06-06
ONAPSIS-2014-013: SAP IS-OIL-DS-TSW Traders and Schedulers Workbench Hard-coded Credentials

SAP Oil Industry Solution Traders and Schedulers Workbench contains hard-coded username which could allow a user to access functions or information that should be restricted.

2014-06-06
ONAPSIS-2014-014: SAP Upgrade tools for ABAP Hard-coded credentials

SAP Upgrade Tools contains hard-coded username which could allow a user to access functions or information that should be restricted.

2014-06-06
ONAPSIS-2014-015: SAP Web Services Tool Hard-coded Credentials

SAP Web Services Tool contains hard-coded username which could allow a user to access functions or information that should be restricted.

2014-06-06
ONAPSIS-2014-016: SAP CCMS Monitoring Hard-coded Credentials

SAP CCMS Monitoring contains hard-coded username which could allow a user to access functions or information that should be restricted.

2014-06-06
ONAPSIS-2014-017: SAP Transaction Datapool Hard-coded Credentials

SAP Transaction Data Pool contains hard-coded username which could allow a user to access functions or information that should be restricted.

2014-06-06
ONAPSIS-2014-018: SAP Capacity Leveling Hard-coded Credentials

SAP Capacity Leveling contains hard-coded username which could allow a user to access functions or information that should be restricted.

2014-06-06
ONAPSIS-2014-019: SAP Open Hub Service Hard-coded Credentials

SAP Open Hub Service contains hard-coded username which could allow a user to access functions or information that should be restricted.

2014-06-06
ONAPSIS-2014-020: SAP Web Application Server ABAP Information Disclosure

By exploiting this vulnerability, a remote unauthenticated attacker might be able to modify technical information about the SAP systems potentially leading to a full compromise of all business information.

2014-06-06
ONAPSIS-2014-021: SAP HANA XS missing encryption in form-based authentication

SAP HANA XS does not enforce any encryption in the form based authentication. It could allow an anonymous user to get valid credentials from the network to get access into the system.

2014-07-29
ONAPSIS-2014-022: SAP HANA IU5 SDK Authentication Bypass

SAP HANA IU5 SDK Application does not enforce any authentication when it is explicitly configured. It could allow an anonymous user to access functions or information that should be restricted.

2014-07-29
ONAPSIS-2014-023: HTTP verb tampering issue in SAP_JTECHS

By exploiting this vulnerability a remote unauthenticated attacker would be able to access restricted functionality and change application server behavior or affect its performance.

2014-07-29
ONAPSIS-2014-024: Hard-coded Username in SAP FI Manager Self-Service

SAP FI Manager Self-Service contains hard-coded username which could allow a user to access functions or information that should be restricted.

2014-07-29
ONAPSIS-2014-025: Multiple Cross Site Scripting Vulnerabilities in SAP HANA XS Administration Tool

The SAP HANA XS Administration Tool can be abused by potential attackers, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users.

2014-07-29
ONAPSIS-2014-026: Missing authorization check in function modules of BW-SYS-DB-DB4

By exploiting this vulnerability a remote authenticated attacker would be able to perform activities for which he is not authorized.

2014-07-29

Upcoming Advisories

The following list provides information about the upcoming Security Advisories discovered by the Onapsis Research Labs and their estimated date of release:

  • xx-2014:SAP Business Objects
  • xx-2014:SAP Netweaver ABAP
  • xx-2014:SAP Netweaver ABAP
  • xx-2014:SAP Netweaver ABAP
  • xx-2014:SAP Enterprise Portal
  • xx-2014:SAP J2EE Engine
  • xx-2014:SAP WebAS
  • xx-2014:SAP HANA
  • xx-2014:SAP HANA
  • xx-2014:SAP HANA
  • xx-2014:SAP HANA
  • xx-2014:Peoplesoft
  • xx-2014:Peoplesoft
  • xx-2014:Peoplesoft
  • xx-2014:Peoplesoft