Skip to Content
1

TOMCAT 7.059 VULNERABILITY TO CROSS-SITE REQUEST FORGERY(XSRF)

Mar 14, 2017 at 10:52 AM

108

avatar image
Former Member

HI Experts,

Please assist. Pen test results shows that my tomcat version is vulnerable to Cross-site request forgery (XSRF). I am running BO Enterprise XI 4.0. Please what is the right version to upgrade to and will this break anything for me.

Please assist.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Best Answer
Denis Konovalov
Mar 14, 2017 at 12:06 PM
2

1. If you have concern about security - you should log an SAP support Incident

2. If you want to upgrade Tomcat you're using to a newer version, you need to :
a. check if your version of BOE will work with desired version of tomcat in the PAM (https://support.sap.com/release-upgrade-maintenance/pam.html )

b. Read this KBA

2232191 - *** Master KBA *** - How to install/upgrade/configure Apache Tomcat which is bundled with SAP BusinessObjects Business Intelligence 4.0/4.1/4.2

Also, please note, XSRF or XSS vulnerabilities are usually not in Webapp servers (tomcat), they are in Webapplications that are running on those Webapp servers, so you, most likely, will need to upgrade your BI platform.
BI 4.0 you're using is very old, current version is BI4.2 Sp3 and as far as we know it does not have any XSRF vulnerabilities.

p.s.

Another useful KBA is

1475602 - Support procedures for identifying and resolving security vulnerabilities in SAP Business Objects products
Make sure you read this one before logging incident with SAP.

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Mar 14, 2017 at 06:42 PM
0

Hi Denis,

Thank you, I will have a look.

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Mar 23, 2017 at 12:14 PM
0

It appears cloud based platforms not infrastructure are more vulnerable to the Cross-Site Request Forgery (XSRF/CSRF).

As this document appear to suggest: https://help.hana.ondemand.com/help/frameset.htm?1f5f34e31ec64af8b5fef1796ea07c0a.html

What then are chances of this sort of attack succeeding in production server on an infrastructure based setup protected by other network security such as firewalls.

Show 2 Share
10 |10000 characters needed characters left characters exceeded

Firewalls cannot protect against those attacks. And it doesn't matter cloud it is or not.

Infrastructure can be cloud and cloud is infrastructure.

0
Former Member

Hi Denis

Thanks for responding . With infrastructure here, am referring to the physical SAP systems. I also do know that firewalls can't project against such attacks but wouldn't you expect a level of protection if web browsing is not ran directly from a local production server.

Since, these sort of attack depends on the attacker knowing the URL for the Tomcat Manager Application and with unique naming conventions used on server infrastructure and ports,a level of projection is expected on a physical infrastructure residing behind organisation's security setup.

0