Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

[PoC] SAP Note 3433192 – Code Injection vulnerability in SAP NetWeaver AS Java

Overview

Recently, SAP released Security Note 3433192, which addresses a critical code injection vulnerability (CVE-2024-22127) within the SAP NetWeaver AS Java Administrator Log Viewer plug-in. This vulnerability allows attackers with high-level privileges to upload malicious files, potentially compromising system confidentiality, integrity, and availability.

Understanding the Vulnerability

The Log Viewer plug-in previously lacked comprehensive restrictions on uploadable file types, allowing attackers to exploit this gap for command injection. With a CVSS score of 9.1, this vulnerability is considered highly severe, with low complexity and no user interaction required, posing significant risks to affected systems.

Mitigation Steps

SAP has restricted the types of files that can be uploaded to prevent unauthorized commands from being executed. After applying the update, only specific file types (.log, .trc, .txt, .old, .out, .cld) can be uploaded, and these files must contain NWA log records.

As an additional security measure, administrators are encouraged to activate the log_FileUpload Virus Scan Profile. Although not mandatory, enabling this scan can help detect and block potential threats during file uploads.

Recommended Actions

  1. Upgrade: Ensure your SAP NetWeaver AS Java is updated to the latest patch that addresses this vulnerability. SAP Note 1974464 provides guidelines to avoid compatibility issues during this process.

  2. Configure Virus Scan Profile: Activate the log_FileUpload profile to enhance security. This scan is essential in detecting and mitigating potentially harmful files that bypass upload restrictions.

  3. Role Adjustment: Temporarily, consider restricting access to the Log Viewer with roles that limit permissions. For instance, using the NWA_READONLY role can reduce risks while a permanent solution is implemented.

Stay Proactive with SAP Security

Addressing vulnerabilities promptly is essential, but proactive measures like penetration testing can further enhance your SAP system’s defenses. RedRays offers comprehensive SAP Penetration Testing services to identify and mitigate security gaps before they can be exploited. Secure your SAP environment with RedRays today!

More to explorer

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.