Attackers Targeting Critical SAP Flaw Since 2013

msm1267 quotes a report from Threatpost: Three dozen global enterprises have been breached by attackers who exploited a single, mitigated vulnerability in SAP business applications. The attacks were carried out between 2013 and are ongoing against large organizations owned by corporations in the United States, United Kingdom, Germany, China, India, Japan, and South Korea, spanning 15 critical industries, researchers at Onapsis said today. [The DHS-sponsored CERT at the Software Engineering Institute at Carnegie Mellon University also published an alert this morning, the first in its history for SAP applications.] The severity of these attacks is high and should put other organizations on notice that are running critical business processes and data through SAP Java apps. The issue lies in the Invoker Servlet, which is part of the standard J2EE specification and enables developers to test custom Java applications. When it is enabled, developers and users can call these servlets over the Internet directly without authentication or authorization controls. Attackers, however, can take advantage of this same functionality to exploit these business critical systems.

Sooooo

[Kokuyo]

Let me get this straight: Does that mean someone at SAP just left a debug option turned on that essentially is a big honking barn door to the internet?

I see an outcry of epic proportions coming where some schmuck gets fired and nobody of value (meaning CxOs) gets into trouble.

Re: SAP is not the problem here

Without access to the system? Doubtful. SAP Netweaver Application Server Java (NW AS JAVA) will only disclose the version numbers of the different components on it if you have the right to view the system information page on its own or within the Netweaver Administrator (NWA), which requires membership in a particular group or a particular role to be assigned to your user. And usually there are a variety of systems throughout the landscape.

If an administrator uses SAP Solution Manager and uses the system recommendations functionality - it will automatically check the components and corrections installed on a given system and notify them of any security related SAP Notes (code corrections/knowledgebase articles) that apply to a given SAP system.

Also, just to point out GP's point- SAP patched this in 2010. You would have to be at a customer that didn't implement support packs on a system for more than five years.

Re: SAP?

A.mishmash of technologies jammed together onto one platform that sells for millions. Expect to pay through the nose.

Traditional big iron shops have COBOL and DB2 on the back end processing millions of transactions per day on IBM mainframes running zOS or OS390 with midrange servers hosting java apps for the modern web interface, or CICS on the mainframe is their asses are not in gear.
Mixed in are a bunch of tools to support this.

Now. SAP. In the 1970s some dudes from IBM saw COBOL and DB2, said "what a bunch of shit! We can do better" and left IBM to develop their own tech. ABAP is a language which looks smells and feels like COBOL. The only difference is that the lifecycle promotion paths and environmental packaging and controls are stuck in the 70s. ABAP is effectively COBOL. HANA is the database the SAP guys dreamed up to combat DB2. It hasn't won yet. Give it time. They have yet to get out of the 90s in comparison with DB2. The SAP midrange machines run java jvms. Yay. Good on you guys for integrating java into the SAP stack.
There are a bunch of tools to support all of this.

The SAP guys then built some very crappy business software, ERP CRM etc - look it up ' for one client which they then adapted for selling to multiple clients. Their business model is to rock up to organisations paying millions to IBM and microsoft and say: Pour your databases into SAP Hana, convert your code and business rules to ABAP and pay us millions for licences. It will be better! One vendor! One database! What could possibly go wrong? It has to be better than COBOL! Mainframes are old tech! Go midrange! Don't be vendor locked! Come! Join us!

The stupid part is that they expect all data to be poured into their existing systems. ERP. CRM. Etc. Don't ever get anyone started on their business modelling tools and their grand plan to put all programmers out of work because the BA can code the business logic easily using the GUI.

Re:J2EE?

[Sique]

It's the Standard J2EE feature. Its description is here: SAP: Invoker Servlet.