Skip to Content
avatar image
Former Member

Remediating Data Services 4.2 SP08 from Apache Struts 2.3.32 to 2.3.34 for CVE-2017-9805

The REST plug-in used in Apache Struts 2.3.32 is subject to a security vulnerability and I am tasked with remediating for it by COB today.

We use REST, so we cannot disable it. The last time there was a Struts vulnerability, SAP took 3-4 weeks to release a fix (2462401 - Data Services 4.2.8 apache.struts.2.3.30 vulnerability). Unfortunately, I do not have that kind of time.

Here it says, "Alternatively, you can upgrade the plugin by dropping in all the required JARs (plugin plus dependencies) https://cwiki.apache.org/confluence/display/WW/S2-052

Has anyone done this before?, and if so, do you have general directions or a site with a general guide?

Thanks in advance.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Sep 08, 2017 at 05:24 PM

    How do you know that SAP solution you're using, I'm assuming it is DS - actually vulnerable to CVE-2017-9805?

    Just because there are files mentioned in the CVE, doesn't mean automatically that they can be exploited.

    As to removing jar's - I would not advise this as its unknown how it affects functioning of the product.

    You should log support incident with SAP EIM-DS... component, so this can be properly investigated and if needed - addressed

    Add comment
    10|10000 characters needed characters exceeded

    • I'm sorry but they are not answered.

      1. Business objects is not compiled with webserver.
      2. Business intelligence platform comes with Tomcat webapplication server which is not Apache and tomcat together.
      BOE also comes with WACS server, which is based on tomcat and Java based services, some of whom might use apache foundation libraries.
      3. Some of the Webapplications, including DataServices webapp have some of the mentioned libraries.
      which does not necessarily mean the exploit will work. It needs to be tested/investigated.
      Because file names and version migth match, but content or how they are used/exposed could be different.
      If you report it via SAp Support Incident - it will be. (or it was already addressed in a SAP Security note and support can point you to one).

      If you used this metasploit module to test DataServices webapp - your result will be useful for SAP.

  • Sep 11, 2017 at 11:18 AM

    I've checked around on this and there is an active SAP investigation on BI Platform side of things about it.
    Since BI Platform is using struts 1, this vulnerability might not apply at all :

    https://launchpad.support.sap.com/#/notes/2364904


    However, since you're specific situation involves Data Services - please create SAP support incident with EIM-DS-SVR component, so it can be properly investigated and documented.
    Add comment
    10|10000 characters needed characters exceeded