Attackers Targeting Critical SAP Flaw Since 2013

msm1267 quotes a report from Threatpost: Three dozen global enterprises have been breached by attackers who exploited a single, mitigated vulnerability in SAP business applications. The attacks were carried out between 2013 and are ongoing against large organizations owned by corporations in the United States, United Kingdom, Germany, China, India, Japan, and South Korea, spanning 15 critical industries, researchers at Onapsis said today. [The DHS-sponsored CERT at the Software Engineering Institute at Carnegie Mellon University also published an alert this morning, the first in its history for SAP applications.] The severity of these attacks is high and should put other organizations on notice that are running critical business processes and data through SAP Java apps. The issue lies in the Invoker Servlet, which is part of the standard J2EE specification and enables developers to test custom Java applications. When it is enabled, developers and users can call these servlets over the Internet directly without authentication or authorization controls. Attackers, however, can take advantage of this same functionality to exploit these business critical systems.

Re:SAP?

[RobinH]

Most companies above a certain size run a type of software called "Enterprise Resource Management" or "ERP". The functionality is a bit nebulous, but it can include everything from purchasing to HR, inventory, ordering, fulfillment, etc. It's the software that essentially runs the business. There are lots of ERP systems out there, but SAP is a very very big (probably the biggest) one. There's probably some statistic about X% of fortune 500 companies use SAP as their ERP system. It's kind of notorious for being 1) expensive to license, 2) expensive to customize, 3) expensive for users to be trained on, and 4) generally sold more on the pretty graphs management gets to see rather than on the usefulness it brings to the company. Good developers who know SAP customization are paid a lot of money. Typical SAP implementations for a large business will run into the millions of dollars easily.

Re:J2EE?

[robmv]

The invoker servlet and its default mapping /servlet/* isn't present in old nor current specs. It is not a JEE standard or was. It was a feature many JEE containers copied mainly because Tomcat at that time was the reference implementation (The invoker servlet class was on the tomcat package namespace not on the javax.servet one) , a very bad idea. It is not present in modern containers.

Since 2002 is known that having it enabled was a bad idea. But you know, enterprise software is badly updated.