Aperçu
SAP NetWeaver Visual Composer contains an unrestricted file upload vulnerability that allows authenticated non-administrative users to upload malicious files and execute arbitrary OS commands with Java server privileges. The vulnerability exists due to insufficient restrictions on file upload functionality. La vulnérabilité a été divulguée le September 14, 2021. CISA a identifié CVE-2021-38163 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
SAP NetWeaver Visual Composer contains a critical unrestricted file upload vulnerability in versions 7.30, 7.31, 7.40, and 7.50. The vulnerability allows authenticated users without administrative privileges to bypass file upload restrictions and upload malicious files to the server. Due to insufficient validation and filtering of uploaded content, attackers can upload executable files (such as JSP files) that are processed by the Java server runtime, leading to arbitrary OS command execution with the privileges of the Java application server process.
La vulnérabilité est classifiée comme CWE-434 (Unrestricted Upload of File with Dangerous Type) , CWE-434 (Improper Restriction of Rendered UI Layers or Frames) etCWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 8.8 (HIGH) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature high.
Impact
An authenticated attacker can upload malicious files (such as JSP webshells) to the SAP NetWeaver server and execute arbitrary OS commands with the privileges of the Java application server process. This could lead to complete compromise of the application server, including unauthorized access to sensitive data, modification of system files, installation of malware, lateral movement within the network, and denial of service. The impact is particularly severe in enterprise environments where SAP systems often contain critical business data and are integrated with other enterprise systems.
Mitigation et contournements
SAP released security patches for all affected versions (7.30, 7.31, 7.40, 7.50). Users should apply the latest support package available for their respective NetWeaver version. Patches are available through SAP's support portal and require authentication. The fix implements proper file upload validation, restricts file types, and enforces stricter access controls on upload functionality. Install patches in the following order: 1) Stop the SAP NetWeaver system, 2) Download the appropriate patch from SAP, 3) Apply the patch using SAP's patch management tools, 4) Restart the system, 5) Verify the patch was applied correctly. Les versions suivantes incluent les correctifs nécessaires : NetWeaver 7.30 SP (latest patch), NetWeaver 7.31 SP (latest patch), NetWeaver 7.40 SP (latest patch), NetWeaver 7.50 SP (latest patch).
Comme contournements temporaires : disable visual composer file upload functionality if not required for operations; implement network-level access controls to restrict access to the visual composer interface to trusted ip addresses or vpn connections only; configure the java application server to disable jsp execution in upload directories using proper directory permissions and security policies; restrict user permissions and access to visual composer functions to only administrative users who require it, et monitor upload directories and file system activity for suspicious file uploads and execution patterns.
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
