on 03-14-2017 10:52 AM
HI Experts,
Please assist. Pen test results shows that my tomcat version is vulnerable to Cross-site request forgery (XSRF). I am running BO Enterprise XI 4.0. Please what is the right version to upgrade to and will this break anything for me.
Please assist.
1. If you have concern about security - you should log an SAP support Incident
2. If you want to upgrade Tomcat you're using to a newer version, you need to :
a. check if your version of BOE will work with desired version of tomcat in the PAM (https://support.sap.com/release-upgrade-maintenance/pam.html )
b. Read this KBA
Also, please note, XSRF or XSS vulnerabilities are usually not in Webapp servers (tomcat), they are in Webapplications that are running on those Webapp servers, so you, most likely, will need to upgrade your BI platform.
BI 4.0 you're using is very old, current version is BI4.2 Sp3 and as far as we know it does not have any XSRF vulnerabilities.
p.s.
Another useful KBA is
1475602 - Support procedures for identifying and resolving security
vulnerabilities in SAP Business...
Make sure you read this one before logging incident with SAP.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It appears cloud based platforms not infrastructure are more vulnerable to the Cross-Site Request Forgery (XSRF/CSRF).
As this document appear to suggest: https://help.hana.ondemand.com/help/frameset.htm?1f5f34e31ec64af8b5fef1796ea07c0a.html
What then are chances of this sort of attack succeeding in production server on an infrastructure based setup protected by other network security such as firewalls.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Denis
Thanks for responding . With infrastructure here, am referring to the physical SAP systems. I also do know that firewalls can't project against such attacks but wouldn't you expect a level of protection if web browsing is not ran directly from a local production server.
Since, these sort of attack depends on the attacker knowing the URL for the Tomcat Manager Application and with unique naming conventions used on server infrastructure and ports,a level of projection is expected on a physical infrastructure residing behind organisation's security setup.
Hi Denis,
Thank you, I will have a look.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.