SAP NetWeaver AS Java Multiple Vulnerabilities (March 2023)

medium Nessus Plugin ID 172603

Synopsis

The remote SAP NetWeaver application server is affected by multiple vulnerabilities.

Description

SAP NetWeaver Application Server for Java is affected by multiple vulnerabilities, including the following:

- SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities that require user identity, resulting in escalation of privileges. This failure has a low impact on confidentiality of the data such that an unassigned user can read non-sensitive server data. (CVE-2023-24526)

- Cache Management Service in SAP NetWeaver Application Server for Java - version 7.50, does not perform any authentication checks for functionalities that require user identity. (CVE-2023-26460)

- SAP NetWeaver AS Java (Object Analyzing Service) - version 7.50, does not perform necessary authorization checks, allowing an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access a service which will enable them to access but not modify server settings and data with no effect on availability., resulting in escalation of privileges. (CVE-2023-27268)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the vendor advisory.

See Also

http://www.nessus.org/u?18f404d5

https://launchpad.support.sap.com/#/notes/3288480

https://launchpad.support.sap.com/#/notes/3288096

https://launchpad.support.sap.com/#/notes/3288394

Plugin Details

Severity: Medium

ID: 172603

File Name: sap_netweaver_as_java_mar_2023.nasl

Version: 1.2

Type: remote

Family: Web Servers

Published: 3/16/2023

Updated: 3/17/2023

Configuration: Enable paranoid mode

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2023-24526

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:sap:netweaver_application_server

Required KB Items: installed_sw/SAP Netweaver Application Server (AS), Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 3/14/2023

Vulnerability Publication Date: 3/14/2023

Reference Information

CVE: CVE-2023-24526, CVE-2023-26460, CVE-2023-27268

IAVA: 2023-A-0130