topic Re: SAP AS Java affected from commons-collection vulnerability? in Application Development and Automation Discussions

SAP AS Java affected from commons-collection vulnerability?

JaySchwendemann — Wed, 11 Nov 2015 10:23:55 GMT

Dear all,

we are running an PI AEX (AS Netweaver Java 7.4) and I recently heard about this vulnerability: What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. |

I did a quick search in the Java Class Loader View from PIs NWA and did not find any Apache Library there. But as I would consider myself far from a J2EE expert I might easily looking in the wrong place.

So my questions are:

Do you know if the SAP Netweaver AS Java might be affected
How should I check, e.g. where to do that "grep" the above link mentioned

Many thanks and kind regards

Jens

Re: SAP AS Java affected from commons-collection vulnerability?

Former Member — Mon, 23 Nov 2015 14:49:20 GMT

Hi, Jens!

Have you received any confirmation for this?

Best regards,

Aleksi

Re: SAP AS Java affected from commons-collection vulnerability?

JaySchwendemann — Thu, 26 Nov 2015 11:06:37 GMT

No, unfortunately not. Considering opening an incident for this to get some information.

Will keep this thread updated then.

If anybody else has information about this, please feel free to add here.

Cheers

Jens

Re: SAP AS Java affected from commons-collection vulnerability?

Former Member — Thu, 26 Nov 2015 11:12:17 GMT

Hi,

SAP has provided the following reply:

"SAP has received information about security deficiencies in some java

classes used in deserialization, used in a number of software products

of different vendors. These deficiencies are referred to under the

name of "java deserialization vulnerability#. Currently, this

vulnerability has been identified in some of the commonly used open

source libraries (Apache Groovy [CVE-2015-3253] and Apache Commons

Collections). SAP security teams are in the process of investigating

if SAP products are affected by the reported vulnerability.

SAP takes any security-related report very seriously. We will notify

our customers appropriately as relevant new information on this topic

becomes available.

We take the opportunity to remind you to increase the security of

your SAP systems by installing the available security patches.

For information on SAP's security notes and patches, please refer to -

https://support.sap.com/securitynotes "

Best regards,

Aleksi

Re: SAP AS Java affected from commons-collection vulnerability?

JaySchwendemann — Thu, 26 Nov 2015 11:50:24 GMT

Great, thanks for sharing. Would be great if you update this thread if SAP is directly updating you with some information (maybe you opened an incident for this?)

Anyways we'll have to wait and see the outcome of this.

Cheers

Jens

Re: SAP AS Java affected from commons-collection vulnerability?

Former Member — Thu, 14 Jan 2016 12:14:36 GMT

Hi,

Some SAP Notes have already been released related to this. Please search for "java serialization vulnerability".

Best regards,

Aleksi

Re: SAP AS Java affected from commons-collection vulnerability?

JaySchwendemann — Wed, 17 Feb 2016 13:20:32 GMT

Especially http://service.sap.com/sap/support/notes/2246851 seems to be relevant for PI, maybe this one for Wily, too http://service.sap.com/sap/support/notes/2262104