Overview
SAP NetWeaver Visual Composer contains an unrestricted file upload vulnerability that allows authenticated non-administrative users to upload malicious files and execute arbitrary OS commands with Java server privileges. The vulnerability exists due to insufficient restrictions on file upload functionality. The vulnerability was disclosed on September 14, 2021. CISA has identified CVE-2021-38163 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
SAP NetWeaver Visual Composer contains a critical unrestricted file upload vulnerability in versions 7.30, 7.31, 7.40, and 7.50. The vulnerability allows authenticated users without administrative privileges to bypass file upload restrictions and upload malicious files to the server. Due to insufficient validation and filtering of uploaded content, attackers can upload executable files (such as JSP files) that are processed by the Java server runtime, leading to arbitrary OS command execution with the privileges of the Java application server process.
The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) , CWE-434 (Improper Restriction of Rendered UI Layers or Frames) andCWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) .
The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating its high nature.
Impact
An authenticated attacker can upload malicious files (such as JSP webshells) to the SAP NetWeaver server and execute arbitrary OS commands with the privileges of the Java application server process. This could lead to complete compromise of the application server, including unauthorized access to sensitive data, modification of system files, installation of malware, lateral movement within the network, and denial of service. The impact is particularly severe in enterprise environments where SAP systems often contain critical business data and are integrated with other enterprise systems.
Mitigation and workarounds
SAP released security patches for all affected versions (7.30, 7.31, 7.40, 7.50). Users should apply the latest support package available for their respective NetWeaver version. Patches are available through SAP's support portal and require authentication. The fix implements proper file upload validation, restricts file types, and enforces stricter access controls on upload functionality. Install patches in the following order: 1) Stop the SAP NetWeaver system, 2) Download the appropriate patch from SAP, 3) Apply the patch using SAP's patch management tools, 4) Restart the system, 5) Verify the patch was applied correctly. The following versions include the necessary fixes: NetWeaver 7.30 SP (latest patch), NetWeaver 7.31 SP (latest patch), NetWeaver 7.40 SP (latest patch), NetWeaver 7.50 SP (latest patch).
As temporary workarounds: disable visual composer file upload functionality if not required for operations; implement network-level access controls to restrict access to the visual composer interface to trusted ip addresses or vpn connections only; configure the java application server to disable jsp execution in upload directories using proper directory permissions and security policies; restrict user permissions and access to visual composer functions to only administrative users who require it, and monitor upload directories and file system activity for suspicious file uploads and execution patterns.
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
