Skip to Content


HI Experts,

Please assist. Pen test results shows that my tomcat version is vulnerable to Cross-site request forgery (XSRF). I am running BO Enterprise XI 4.0. Please what is the right version to upgrade to and will this break anything for me.

Please assist.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Mar 14, 2017 at 12:06 PM

    1. If you have concern about security - you should log an SAP support Incident

    2. If you want to upgrade Tomcat you're using to a newer version, you need to :
    a. check if your version of BOE will work with desired version of tomcat in the PAM ( )

    b. Read this KBA

    2232191 - *** Master KBA *** - How to install/upgrade/configure Apache Tomcat which is bundled with SAP BusinessObjects Business Intelligence 4.0/4.1/4.2

    Also, please note, XSRF or XSS vulnerabilities are usually not in Webapp servers (tomcat), they are in Webapplications that are running on those Webapp servers, so you, most likely, will need to upgrade your BI platform.
    BI 4.0 you're using is very old, current version is BI4.2 Sp3 and as far as we know it does not have any XSRF vulnerabilities.


    Another useful KBA is

    1475602 - Support procedures for identifying and resolving security vulnerabilities in SAP Business Objects products
    Make sure you read this one before logging incident with SAP.

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 14, 2017 at 06:42 PM

    Hi Denis,

    Thank you, I will have a look.

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 23, 2017 at 12:14 PM

    It appears cloud based platforms not infrastructure are more vulnerable to the Cross-Site Request Forgery (XSRF/CSRF).

    As this document appear to suggest:

    What then are chances of this sort of attack succeeding in production server on an infrastructure based setup protected by other network security such as firewalls.

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Denis

      Thanks for responding . With infrastructure here, am referring to the physical SAP systems. I also do know that firewalls can't project against such attacks but wouldn't you expect a level of protection if web browsing is not ran directly from a local production server.

      Since, these sort of attack depends on the attacker knowing the URL for the Tomcat Manager Application and with unique naming conventions used on server infrastructure and ports,a level of projection is expected on a physical infrastructure residing behind organisation's security setup.