Skip to Content
0

Remediating Data Services 4.2 SP08 from Apache Struts 2.3.32 to 2.3.34 for CVE-2017-9805

Sep 07, 2017 at 02:40 PM

210

avatar image
Former Member

The REST plug-in used in Apache Struts 2.3.32 is subject to a security vulnerability and I am tasked with remediating for it by COB today.

We use REST, so we cannot disable it. The last time there was a Struts vulnerability, SAP took 3-4 weeks to release a fix (2462401 - Data Services 4.2.8 apache.struts.2.3.30 vulnerability). Unfortunately, I do not have that kind of time.

Here it says, "Alternatively, you can upgrade the plugin by dropping in all the required JARs (plugin plus dependencies) https://cwiki.apache.org/confluence/display/WW/S2-052

Has anyone done this before?, and if so, do you have general directions or a site with a general guide?

Thanks in advance.

10 |10000 characters needed characters left characters exceeded
Former Member

I didn't know they were broken, thanks.

0
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Denis Konovalov
Sep 08, 2017 at 05:24 PM
0

How do you know that SAP solution you're using, I'm assuming it is DS - actually vulnerable to CVE-2017-9805?

Just because there are files mentioned in the CVE, doesn't mean automatically that they can be exploited.

As to removing jar's - I would not advise this as its unknown how it affects functioning of the product.

You should log support incident with SAP EIM-DS... component, so this can be properly investigated and if needed - addressed

Show 2 Share
10 |10000 characters needed characters left characters exceeded
Former Member

All the questions and inferences made in this reply are answered by the links in my original post.

Business Objects is compiled with a webserver that uses Tomcat and Apache together. Apache uses something called struts2-core-2.3.X (SAP BusinessObjects\tomcat\webapps\DataServices\WEB-INF\lib\struts2-core-2.3.X)

There is a struts vulnerability out which already has a Metasploit module available to test the vulnerability (Metasploit Module for Apache Struts 2 REST (CVE-2017-9805) Now Available for Download)

Business Objects 4.2 together with Data Services 4.2 uses struts 2.3.32.

If you use the Struts REST plug-in versions Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12, then you are vulnerable. Period.

I am surprised, frankly, this isn't a bigger deal.

0

I'm sorry but they are not answered.

1. Business objects is not compiled with webserver.
2. Business intelligence platform comes with Tomcat webapplication server which is not Apache and tomcat together.
BOE also comes with WACS server, which is based on tomcat and Java based services, some of whom might use apache foundation libraries.
3. Some of the Webapplications, including DataServices webapp have some of the mentioned libraries.
which does not necessarily mean the exploit will work. It needs to be tested/investigated.
Because file names and version migth match, but content or how they are used/exposed could be different.
If you report it via SAp Support Incident - it will be. (or it was already addressed in a SAP Security note and support can point you to one).

If you used this metasploit module to test DataServices webapp - your result will be useful for SAP.

0
Denis Konovalov
Sep 11, 2017 at 11:18 AM
0

I've checked around on this and there is an active SAP investigation on BI Platform side of things about it.
Since BI Platform is using struts 1, this vulnerability might not apply at all :

https://launchpad.support.sap.com/#/notes/2364904


However, since you're specific situation involves Data Services - please create SAP support incident with EIM-DS-SVR component, so it can be properly investigated and documented.
Share
10 |10000 characters needed characters left characters exceeded