SAP NetWeaver SOAP Interface Lets Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1027406 |
|
SecurityTracker URL: http://securitytracker.com/id/1027406
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 17 2012
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 7.02
|
Description:
A vulnerability was reported in SAP NetWeaver. A remote user can execute arbitrary commands on the target system.
A remote user can send specially crafted data to the SOAP interface of the SAPHostControl Service on TCP port 50013 to inject arbitrary commands on the target system. The code will run with the privileges of the SAP administrator.
The vendor was notified on September 16, 2011.
The original advisory is available at:
http://www.contextis.com/research/blog/sap4/
Michael Jordon of Context Information Security reported this vulnerability.
|
Impact:
A remote user can execute arbitrary commands on the target system.
|
Solution:
The vendor has issued a fix (SAP security note 1341333) [in May 2012].
|
Vendor URL: www.sap.com/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
