Security issue affecting outdated and misconfigured SAP systems

Published on

Have you implemented SAP Security Note 1445998 and disabled the Invoker Servlet?

The US-CERT team have issued this alert about SAP (https://www.us-cert.gov/ncas/alerts/TA16-132A) relating to the abuse of the Invoker Servlet, a built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms), which was patched by SAP in 2010. However, the vulnerability continues to affect a small number of outdated and misconfigured SAP systems.

It is thought this will only affect a small number of SAP customers globally.

SAP state “The vulnerable component in question “Invoker Servlet” was disabled by SAP in SAP NetWeaver 7.20 that was released in 2010. SAP has released patches to applications under maintenance and therefore, all SAP applications released since then are free of this vulnerability.

Configuration changes such as these were known to break custom software development by the customer, and this is the reason why the feature was not disabled by default in releases older than SAP NetWeaver 7.20. In the interest of security of SAP operations at customer sites, the security advisory 1445998 released by SAP in Nov 2010 notifies the customer that Invoker Servlet is disabled by default in SAP NetWeaver 7.20, and advises the customer to first disable Invoker Servlet in his environment and then deploy tested custom applications.

If you think you may be affected, please review the alert (linked above) and ensure you have the relevant patches in place.

Our User Group Community