Attackers Targeting Critical SAP Flaw Since 2013 (threatpost.com)

← Back to Stories (view on slashdot.org)

Attackers Targeting Critical SAP Flaw Since 2013 (threatpost.com)

Posted by BeauHD on Wednesday May 11, 2016 @10:00PM from the five-year-old dept.

msm1267 quotes a report from Threatpost: Three dozen global enterprises have been breached by attackers who exploited a single, mitigated vulnerability in SAP business applications. The attacks were carried out between 2013 and are ongoing against large organizations owned by corporations in the United States, United Kingdom, Germany, China, India, Japan, and South Korea, spanning 15 critical industries, researchers at Onapsis said today. [The DHS-sponsored CERT at the Software Engineering Institute at Carnegie Mellon University also published an alert this morning, the first in its history for SAP applications.] The severity of these attacks is high and should put other organizations on notice that are running critical business processes and data through SAP Java apps. The issue lies in the Invoker Servlet, which is part of the standard J2EE specification and enables developers to test custom Java applications. When it is enabled, developers and users can call these servlets over the Internet directly without authentication or authorization controls. Attackers, however, can take advantage of this same functionality to exploit these business critical systems.

57 comments

Min score:

Reason:

Sort:

J2EE? by viperidaenz · 2016-05-11 22:26 · Score: 3, Informative

Standard J2EE or an old Tomcat feature?
org.apache.catalina.servlets.InvokerServlet
It needs to be explicitly enabled to be active.
1. Re:J2EE? by Sique · 2016-05-12 00:07 · Score: 2, Interesting
  
  It's the Standard J2EE feature. Its description is here: SAP: Invoker Servlet.
  
  --
  .sig: Sique *sigh*
2. Re:J2EE? by robmv · 2016-05-12 00:56 · Score: 4, Informative
  
  The invoker servlet and its default mapping /servlet/* isn't present in old nor current specs. It is not a JEE standard or was. It was a feature many JEE containers copied mainly because Tomcat at that time was the reference implementation (The invoker servlet class was on the tomcat package namespace not on the javax.servet one) , a very bad idea. It is not present in modern containers.
  Since 2002 is known that having it enabled was a bad idea. But you know, enterprise software is badly updated.
3. Re:J2EE? by viperidaenz · 2016-05-12 11:29 · Score: 1
  
  Just because SAP uses Tomcat or something that copies it, doesn't mean it's part of the J2EE spec.
  Here's a clue: the link you provided is sap.com, not oracle.com, java.com or java.net
  If you want to see the entire J2EE servlet spec, look at the java classes in javax.servlet.*
  How did you get modded up? You're completely wrong.
Meh. No biggie by Anonymous Coward · 2016-05-11 22:41 · Score: 5, Funny

It's not like anyone can actually locate information in SAP in the first place. Could take decades for an outsider to figure out a business relationship, or the companies cost for something when you include the lag time for a simple query.
Re:Meh. No biggie by Anonymous Coward · 2016-05-11 22:50 · Score: 0

It's not like anyone can actually locate information in SAP in the first place. Could take decades for an outsider to figure out a business relationship, or the companies cost for something when you include the lag time for a simple query.
There certainly isn't any information in the summary about it.
So.... Yes! You are correct!
SAP? by Anonymous Coward · 2016-05-11 22:50 · Score: 0

WTF is SAP?
1. Re:SAP? by RobinH · 2016-05-11 23:07 · Score: 4, Informative
  
  Most companies above a certain size run a type of software called "Enterprise Resource Management" or "ERP". The functionality is a bit nebulous, but it can include everything from purchasing to HR, inventory, ordering, fulfillment, etc. It's the software that essentially runs the business. There are lots of ERP systems out there, but SAP is a very very big (probably the biggest) one. There's probably some statistic about X% of fortune 500 companies use SAP as their ERP system. It's kind of notorious for being 1) expensive to license, 2) expensive to customize, 3) expensive for users to be trained on, and 4) generally sold more on the pretty graphs management gets to see rather than on the usefulness it brings to the company. Good developers who know SAP customization are paid a lot of money. Typical SAP implementations for a large business will run into the millions of dollars easily.
  
  --
  "I have never let my schooling interfere with my education." - Mark Twain
2. Re:SAP? by Anonymous Coward · 2016-05-11 23:43 · Score: 1
  
  SAP is like Oracle without the gigantic asshole boss.
3. Re: SAP? by Anonymous Coward · 2016-05-11 23:51 · Score: 4, Interesting
  
  A.mishmash of technologies jammed together onto one platform that sells for millions. Expect to pay through the nose.
  Traditional big iron shops have COBOL and DB2 on the back end processing millions of transactions per day on IBM mainframes running zOS or OS390 with midrange servers hosting java apps for the modern web interface, or CICS on the mainframe is their asses are not in gear.
  Mixed in are a bunch of tools to support this.
  Now. SAP. In the 1970s some dudes from IBM saw COBOL and DB2, said "what a bunch of shit! We can do better" and left IBM to develop their own tech. ABAP is a language which looks smells and feels like COBOL. The only difference is that the lifecycle promotion paths and environmental packaging and controls are stuck in the 70s. ABAP is effectively COBOL. HANA is the database the SAP guys dreamed up to combat DB2. It hasn't won yet. Give it time. They have yet to get out of the 90s in comparison with DB2. The SAP midrange machines run java jvms. Yay. Good on you guys for integrating java into the SAP stack.
  There are a bunch of tools to support all of this.
  The SAP guys then built some very crappy business software, ERP CRM etc - look it up ' for one client which they then adapted for selling to multiple clients. Their business model is to rock up to organisations paying millions to IBM and microsoft and say: Pour your databases into SAP Hana, convert your code and business rules to ABAP and pay us millions for licences. It will be better! One vendor! One database! What could possibly go wrong? It has to be better than COBOL! Mainframes are old tech! Go midrange! Don't be vendor locked! Come! Join us!
  The stupid part is that they expect all data to be poured into their existing systems. ERP. CRM. Etc. Don't ever get anyone started on their business modelling tools and their grand plan to put all programmers out of work because the BA can code the business logic easily using the GUI.
4. Re:SAP? by Zocalo · 2016-05-12 01:15 · Score: 2
  
  That's *raging* assole, specifically "One Raging Asshole Called Larrry Ellison".
  
  --
  UNIX? They're not even circumcised! Savages!
5. Re:SAP? by Big+Hairy+Ian · 2016-05-12 01:54 · Score: 3
  
  Good developers who know SAP customization are paid a lot of money.
  Who said they needed to be good?
  
  --
  Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
6. Re:SAP? by erp_consultant · 2016-05-12 02:38 · Score: 3, Informative
  
  Had to weigh in here....
  SAP is either the #1 or #2 (depending on which stats you believe) ERP vendor. ERP is just a fancy term for integrated software. In the past many companies would have one vendor for their Accounting software, one for their Payroll, and another for Inventory. And so on. Often these disparate systems would be written in different languages with different data models making it very difficult to pass information from Accounting to Inventory, etc. For really big companies we could be talking dozens or even hundreds of systems.
  SAP (as well as Oracle, Workday, NetSuite) comes with built in integration.You can buy as many or as few modules as you like knowing that they are designed to work together. That's a big deal for huge companies.
  The other selling point is regulatory compliance. Big companies are subject to an enormous amount of regulatory compliance from various government agencies and this type of software is built around that.
  Is it big and cumbersome and expensive? Sure. But it's not as expensive as not being able to ship your products, or take customer orders, or pay your employees. Bottom line...the software works. When things go wrong it's usually because of poor decisions.
7. Re:SAP? by CCarrot · 2016-05-12 03:31 · Score: 2
  
  SAP is like Oracle
  ^^^THIS.
  I was so excited to be able to drop Lotus Bloats forever (and start the healing process) after I left my last job ...right up until I ran into SAP for the very first time in my new position.
  Welcome back non-intuitive user interfaces, without even the pretense of internal consistency within itself much less anything outside it's own microcosm. Hello again cryptic and (again) inconsistent icon sets. So glad to see you again, labyrinthine layers of well-buried (but critical to actual use of the system, if you're trying to actually dig any data out of it) options and navigation paths. Oh, and the help? Hahahahahahahahahahaha! Reads like it's designed by accountants for accountants, but actually used for maintenance and work order tracking, so used more by tradesmen than finance-oriented people (at least our portion is)...oh, and if you can manage to figure out what cryptic-damn-buried transaction code you need to use, chances are you don't have permission to actually use it.
  goddammit.
  
  --
  "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
8. Re: SAP? by Anonymous Coward · 2016-05-12 03:58 · Score: 0
  
  They'll be replaced with cheap Indians otherwise
9. Re: SAP? by Anonymous Coward · 2016-05-12 04:39 · Score: 0
  
  LOLOLOL at this username.
  Nahhhhhh this guy doesn't have an agenda.
  Lolololol what the fuck.
10. Re: SAP? by erp_consultant · 2016-05-12 14:42 · Score: 1
  
  I usually don't respond to AC's but for the record I don't work on SAP systems. But I've been working on ERP systems for 18 years so I speak with some authority on it. Someone asked what SAP was so I shared some knowledge. Take it or leave it pal.
11. Re: SAP? by Hognoxious · 2016-05-13 22:25 · Score: 1
  
  ABAP is effectively COBOL.
  
  If you write it badly it is.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
But but, I thought it was C that was insecure? by Viol8 · 2016-05-11 22:52 · Score: 2

Or that what we were being told a few days ago. How could a VM based language like java have exploits?? VMs are the future, right?
[/sarcasm]
SAP is not the problem here by jools33 · 2016-05-11 23:08 · Score: 3, Informative

SAP patched this problem back in 2010, and issued security notes for it made available to all its customers, and notified them all. The problem here is that some customers don't pay attention to their security notices and carry on regardless.
1. Re: SAP is not the problem here by Anonymous Coward · 2016-05-11 23:13 · Score: 1
  
  So if I work for a business that uses SAP, is there a way for me to find out if it's patched and if my personal information is safe?
2. Re: SAP is not the problem here by Anonymous Coward · 2016-05-11 23:28 · Score: 2, Interesting
  
  Without access to the system? Doubtful. SAP Netweaver Application Server Java (NW AS JAVA) will only disclose the version numbers of the different components on it if you have the right to view the system information page on its own or within the Netweaver Administrator (NWA), which requires membership in a particular group or a particular role to be assigned to your user. And usually there are a variety of systems throughout the landscape.
  If an administrator uses SAP Solution Manager and uses the system recommendations functionality - it will automatically check the components and corrections installed on a given system and notify them of any security related SAP Notes (code corrections/knowledgebase articles) that apply to a given SAP system.
  Also, just to point out GP's point- SAP patched this in 2010. You would have to be at a customer that didn't implement support packs on a system for more than five years.
3. Re: SAP is not the problem here by OzPeter · 2016-05-11 23:38 · Score: 2
  
  Also, just to point out GP's point- SAP patched this in 2010. You would have to be at a customer that didn't implement support packs on a system for more than five years.
  Never having used SAP, is the system such that a "If it ain't broke, don't fix it" mentality exists? Or in other words does SAP have a history of borking updates?
  
  --
  I am Slashdot. Are you Slashdot as well?
4. Re: SAP is not the problem here by Anonymous Coward · 2016-05-11 23:56 · Score: 3, Informative
  
  Depends on the customer and while enterprise software has longer support lifecycles, changes can and sometimes do brick things. Most SAP customers try to be at least proactive on security patches for obvious reasons.
  Even patchlevels within an SAP support pack level can break things. It's not common, but when you change the way a method works to secure it, a dependent program or call might not work. This is why you generally have at least a two tier landscape (development & production) and usually a 3-tier (development/quality/prod) or 4-tier landscape (dev/pre-q/QA-prod) for SAP - so you can breakfix your changes.
  The flaw described in OP is from the Netweaver Java side - not the 40+ year old ABAP side. In ABAP, you can patch the system for most code corrections while it is online, without taking it down, and just patching the specific symptom or program you want. In Java, you have to take it in the patchlevel of a component - meaning you have to apply it to the system (taking some downtime) and taking whatever other corrections are included in that component. The patches in OP were not exclusively part of support packs (where new functionality could be introduced), meaning there was a lower risk of change.
  Most larger SAP customers generally tried to implement at least an SAP Support Package stack at least once every 1-3 years, with patchlevels in Java coming per SAP recommendation. While customers I went to were generally good about applying security related SAP Notes in Application server ABAP, sometimes customers were less proactive on the AS Java side.
5. Re:SAP is not the problem here by drinkypoo · 2016-05-12 00:44 · Score: 1
  
  SAP helps customers create customizations that may be broken by patches later. Whose fault is that?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
6. Re:SAP is not the problem here by JasonM314 · 2016-05-12 00:55 · Score: 1
  
  I just patched an SAP server last week that hadn't been offline since early 2010.
  I wasn't patching SAP.
7. Re: SAP is not the problem here by neilo_1701D · 2016-05-12 01:33 · Score: 4, Insightful
  
  So if I work for a business that uses SAP, is there a way for me to find out if it's patched and if my personal information is safe?
  Maybe. Send Another Payment and we'll open a support case with your partner. Once we have the signed work order, we get agrement on the scope of the work and begin.
  And remember: Send Another Payment.
8. Re:SAP is not the problem here by Anonymous Coward · 2016-05-12 02:00 · Score: 1
  
  SAP patched this problem back in 2010, and issued security notes for it made available to all its customers, and notified them all. The problem here is that some customers don't pay attention to their security notices and carry on regardless.
  More likely they looked at the security issue, then looked at the cost and time estimates from the consultants to patch their systems running into the hundreds of thousands and weeks of testing and maintenance then said to themselves "fuck it, I'll take my chances."
9. Re: SAP is not the problem here by Anonymous Coward · 2016-05-12 02:34 · Score: 0
  
  Also, just to point out GP's point- SAP patched this in 2010. You would have to be at a customer that didn't implement support packs on a system for more than five years.
  oh so just most places...
10. Re:SAP is not the problem here by EvilSS · 2016-05-12 03:24 · Score: 1
  
  Or they are just too scared to upgrade. I run into this all the time. There is a "if it ain't completely broke and on fire, don't touch it" mentality in corporate IT, especially when it comes to big line of business technologies like ERP. The idea of a upgrade or even a patch scares the crap out of them because if it fails, the business can stall waiting for it to be fixed. All the while the exec are raining hell down on the IT staff.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
11. Re: SAP is not the problem here by Anonymous Coward · 2016-05-12 04:13 · Score: 0
  
  oh so just most places...
  Not even close. Most customers will implement a new support package on their systems at least once every 1-3 years, and patchlevels within supportpacks on at least a couple times a year, if not more.
12. Re: SAP is not the problem here by Anonymous Coward · 2016-05-12 10:41 · Score: 0
  
  I thought it was Sit And Pray. That is what I have to do every day when I use SAP software and I say that as somebody who works for SAP (although through an acquisition).
13. Re: SAP is not the problem here by Anonymous Coward · 2016-05-12 12:43 · Score: 0
  
  Or Stops All Production.
14. Re:SAP is not the problem here by Hognoxious · 2016-05-13 22:35 · Score: 1
  
  The idea of a upgrade or even a patch scares the crap out of them because if it fails, the business can stall waiting for it to be fixed.
  
  If they apply patches straight into production they don't deserve to be in business.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
15. Re: SAP is not the problem here by sapped · 2016-05-16 02:05 · Score: 1
  
  I work with SAP on a daily basis (hence my nickname) and there are some updates that will break stuff. Luckily this is preventable by pushing the update into your DEV system and then onwards into the QAS system prior to slamming it into PROD. There are some cowboys out there that will slam an SAP hotpack straight into PROD but if you're dealing with one of those guys you have bigger problems anyway.
Sooooo by Kokuyo · 2016-05-11 23:09 · Score: 1, Interesting

Let me get this straight: Does that mean someone at SAP just left a debug option turned on that essentially is a big honking barn door to the internet?
I see an outcry of epic proportions coming where some schmuck gets fired and nobody of value (meaning CxOs) gets into trouble.
1. Re:Sooooo by Anonymous Coward · 2016-05-11 23:31 · Score: 1
  
  I see an outcry of epic proportions coming where some schmuck gets fired and nobody of value (meaning CxOs) gets into trouble.
  I doubt it. SAP provided patches to the relevant components (ENGINEAPI, SAP J2EE ENGINE CORE, etc.) in 2010. You basically have to have failed in not only applying any new major release of SAP, but any recent support packs or patchlevels within older support packs for more than give years.
2. Re:Sooooo by Anonymous Coward · 2016-05-12 00:40 · Score: 0
  
  One thing you learn very early when dealing with Java and J2EE especially is if it's working, you don't touch it!
  Patching Java is a horrible idea, because it will break something. I don't know how Sun borked backwards compatibility that badly, but basically every Java upgrade ever has been a disaster of existing applications breaking.
  Of course, Java is also full of holes, so not patching isn't really an option either. So what ends up happening is that you end up not patching (because it'll break critical systems) and end up creating horrible security workarounds to try and block access to the flaws while keeping your mission critical systems running on the one version of Java they'll run on.
  So I'm not surprised that many companies haven't upgraded or applied the patch, even if it has been six years. Java is fragile - you don't want to touch it once it's working.
3. Re:Sooooo by Anonymous Coward · 2016-05-12 00:47 · Score: 0
  
  It's not a JVM patch though, it's a patch within the SAP Application itself that runs on Java. Two totally different types and levels of change.
4. Re:Sooooo by Anonymous Coward · 2016-05-12 01:01 · Score: 1
  
  Another BS post from someone whose entire knowledge of the language is based on FUD read on the internet.
  Java's record on backward compatibility is actually legendary - it is usually safe to upgrade the JVM without worrying about breaking existing applications. The only notable exception was the introduction of the 'assert' keyword in 1.4.
5. Re:Sooooo by Anonymous Coward · 2016-05-12 02:05 · Score: 0
  
  You know why the Java installer leaves old versions installed, even for security patches?
  Because Sun knew and Oracle still knows that Java patches break things.
  The company I work for recently went through a very painful transition to Java 6. We're not looking forward to being forced to Java 7 but the hope is with OpenJDK we might not have to.
  Java and anything built on Java is amazingly fragile. I'm not at all surprised people would opt not to patch the SAP Java services. Any update could break everything.
6. Re:Sooooo by Anonymous Coward · 2016-05-12 04:08 · Score: 0
  
  Java on the virtual machine/runtime environment for client systems leaves prior versions behind because of all the drive by Java attacks needing security changes, and in corporate environments these changes lead to older versions of enterprise applications that ran on Java to either not run because they weren't digitally signed or were not signed up to the standards of newer Java releases.
  
  This doesn't really apply in the server world to the same degree, because those security changes were largely around applets and Java webstart (JNLP), and because major releases of enterprise software that runs on Java on the server side are geared around specific releases (older SAP releases, like SAP AS JAVA Netweaver 702, run on Java 4 - SAP maintains the codebase for it since Java 1.4 is generally not supported by partner JVMs anymore).
  In any case the updates in the security issue described in OP have nothing to do with the JRE version and instead the specific version of a component deployed within SAP's Java server, so what you're saying doesn't apply.
7. Re: Sooooo by Anonymous Coward · 2016-05-12 04:36 · Score: 0
  
  In our office i still have a copy of java 1.4 installed. We have some HP printers whos web interface (the only way of interacting with the device) will not work with later versions. I work in the public sector and the taxpayers will not abide replacing something that still works... supported or not.
Re:Meh. No biggie by M0j0_j0j0 · 2016-05-11 23:25 · Score: 2

SELECT * FROM BSEG , that should be enough.
CMU has no cred left... by Anonymous Coward · 2016-05-11 23:36 · Score: 0

after what they did for the feds...
find someone else to host CERT, please.
1. Re: CMU has no cred left... by Anonymous Coward · 2016-05-12 00:12 · Score: 0
  
  Source? Citation?
2. Re: CMU has no cred left... by Anonymous Coward · 2016-05-12 03:59 · Score: 0
  
  Don't you keep up with the news? There's heavy FBI funding (and court cajoling) at that institution.
3. Re: CMU has no cred left... by Anonymous Coward · 2016-05-12 04:46 · Score: 0
  
  Mod up. They cannot be trusted with anything.
  Once you start making keys for the bosses locks, you can no longer make keys for the peasants lock.
Invoker Servlet by Anonymous Coward · 2016-05-12 00:56 · Score: 0

When it is enabled, developers and users can call these servlets over the Internet directly without authentication or authorization controls.
What could possibly go wrong?! Sounds like anyone running with this enabled deserves whatever they get. Unless it comes with full public read/write enabled and exposed by default like some software (coughmongodbcough).
What I really want to know by Anonymous Coward · 2016-05-12 00:56 · Score: 2, Informative

I came here to see the comment that answers what 'between 2013' means. I am surprised that no one is nitpicking this yet. Where did all the grammar nazis go !?
1. Re:What I really want to know by Anonymous Coward · 2016-05-12 03:01 · Score: 0
  
  comment that answers what 'between 2013' means.
  It obviously means one of the following:
  * 2 <-here-> 013
  * 20 <-here-> 13
  * 201 <-here-> 3
Re:Meh. No biggie by raftpeople · 2016-05-12 02:57 · Score: 1

Possibly a CIA honeypot designed to consume hackers time?
no love for hurd the turd or safra katz? by Anonymous Coward · 2016-05-12 03:18 · Score: 0

most oracle people I know (& I know quite a few) hate them WAY more than larry. she's practically voldemort - people shudder & cower at the very utterance of her name...
haha karma by Anonymous Coward · 2016-05-12 03:57 · Score: 0

Anyone crazy enough to willingly seek out, pay for and install this platform really has it coming.
This bug is one of many, and actually one of the rare ones they bothered to deal with. Do some googling and be amazed at the "unpatchable" SAP flaws that have existed for years. This software platform is a fucking sieve. To be fair, all complex software will have bugs, but these guys take it to a whole other level.
1. Re: haha karma by Anonymous Coward · 2016-05-12 10:51 · Score: 0
  
  This.
  So much.
  SAP is not a solution.
  SAP is a multitude of problems needing to be breakfixed.