cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

TOMCAT 7.059 VULNERABILITY TO CROSS-SITE REQUEST FORGERY(XSRF)

Go to solution
former_member303244
Explorer

on ‎03-14-2017 10:52 AM

HI Experts,

Please assist. Pen test results shows that my tomcat version is vulnerable to Cross-site request forgery (XSRF). I am running BO Enterprise XI 4.0. Please what is the right version to upgrade to and will this break anything for me.

Please assist.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

denis_konovalov
Active Contributor
‎03-14-2017 12:06 PM

1. If you have concern about security - you should log an SAP support Incident

2. If you want to upgrade Tomcat you're using to a newer version, you need to :
a. check if your version of BOE will work with desired version of tomcat in the PAM (https://support.sap.com/release-upgrade-maintenance/pam.html )

b. Read this KBA

2232191 - *** Master KBA *** - How to install/upgrade/configure Apache Tomcat which is bundled with...

Also, please note, XSRF or XSS vulnerabilities are usually not in Webapp servers (tomcat), they are in Webapplications that are running on those Webapp servers, so you, most likely, will need to upgrade your BI platform.
BI 4.0 you're using is very old, current version is BI4.2 Sp3 and as far as we know it does not have any XSRF vulnerabilities.

p.s.

Another useful KBA is

1475602 - Support procedures for identifying and resolving security vulnerabilities in SAP Business...
Make sure you read this one before logging incident with SAP.

Show replies
Show replies

Answers (2)

Answers (2)

former_member303244
Explorer
‎03-23-2017 12:14 PM
0 Kudos

It appears cloud based platforms not infrastructure are more vulnerable to the Cross-Site Request Forgery (XSRF/CSRF).

As this document appear to suggest: https://help.hana.ondemand.com/help/frameset.htm?1f5f34e31ec64af8b5fef1796ea07c0a.html

What then are chances of this sort of attack succeeding in production server on an infrastructure based setup protected by other network security such as firewalls.

Show replies
Show replies
denis_konovalov
Active Contributor
‎03-23-2017 12:35 PM
0 Kudos

Firewalls cannot protect against those attacks. And it doesn't matter cloud it is or not.

Infrastructure can be cloud and cloud is infrastructure.

former_member303244
Explorer
‎03-27-2017 10:10 AM
0 Kudos

Hi Denis

Thanks for responding . With infrastructure here, am referring to the physical SAP systems. I also do know that firewalls can't project against such attacks but wouldn't you expect a level of protection if web browsing is not ran directly from a local production server.

Since, these sort of attack depends on the attacker knowing the URL for the Tomcat Manager Application and with unique naming conventions used on server infrastructure and ports,a level of projection is expected on a physical infrastructure residing behind organisation's security setup.

former_member303244
Explorer
‎03-14-2017 6:42 PM
0 Kudos

Hi Denis,

Thank you, I will have a look.

Show replies
Show replies
Ask a Question