Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Read only

BREACH vulnerability

Go to solution
Former Member

on โ€Ž2014 Nov 13 1:51 AM

0 Likes
697

Hi all,

Our security team find that there is high risk vulnerability โ€“ the BREACH vulnerability. This can be mitigated by disabling HTTP compression on the web server. We have to change the compression="on" to โ€œoffโ€ in the server.xml on the web server. Please advise if the change impacts the system.

Our system information is:

BI: 4.1 SP2 P5

App Server: Tomcat7

OS: Windows 2008 R2 64bit

Database: Oracle 11g

Thanks.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

former_member207052
Active Contributor
โ€Ž2014 Nov 13 4:57 AM
0 Likes

Hi Jian,

When you set the compression to "Off", more data needs to be transferred from the server to client each time when there is a request from the client. This will affect the overall performance and also increase your network traffic

The magnitude of the issues mentioned above depends on your environment. Use some tool like Fiddler and try finding the metrics when you toggle between compression on and off.

On the other hand, can you please brief more about the vulnerability ?

Regards,

Naras

Show replies
Show replies
Former Member
โ€Ž2014 Nov 17 3:24 AM
0 Likes

Hi Naras,

Thank you so much for your reply. Itโ€™s really helpful.

Please see the details of the vulnerability below:

This web application is potentially vulnerable to the BREACH attack.

An attacker with the ability to:

- Inject partial chosen plaintext into a victim's requests

- Measure the size of encrypted traffic

can leverage information leaked by compression to recover targeted parts of the plaintext.

BREACH (Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext) is a category of vulnerabilities

and not a specific instance affecting a specific piece of software. To be vulnerable, a web application
must:

- Be served from a server that uses HTTP-level compression

- Reflect user-input in HTTP response bodies

- Reflect a secret (such as a CSRF token) in HTTP response bodies

We would be much appreciated for any solutions of the vulnerability.

Thanks,

Jiang

Answers (1)

Answers (1)

denis_konovalov
Active Contributor
โ€Ž2014 Nov 13 1:57 PM
0 Likes

can you please provide a link describing this vulnerability ?

Tomcat or a web server are not part of BI Platform, so you should follow your web or app server vendor guidelines on how to deal with it. (tomcat.org in this case).

In general as stated above turning off compression at web app server increases network traffic size between "tomcat" and client browser.

Show replies
Show replies
Former Member
โ€Ž2014 Nov 17 3:26 AM
0 Likes

Hi Denis,

Thanks for your reply.

Please see the details of the vulnerabilityabove. We would be much appreciated for any solutions of the vulnerability.

We deployed the BI4.1 whole package that includes the Tomcat; Iโ€™m not sure if SAP should support the web application (Tomcat) as well.

Thanks,

Jiang

denis_konovalov
Active Contributor
โ€Ž2014 Nov 17 1:16 PM
0 Likes

SAP will not patch tomcat, you have to do that yourself or await when SAP releases next release with newer tomcat.
Tomcat is not an SAP product, it is only supported as far as functionality of the SAP webapps on it.

BREACH doesn't affect functionality of those.
If you want to upgrade your tomcat - as long as new version is supported, you're fine.

Former Member
โ€Ž2014 Nov 18 2:06 AM
0 Likes

Does it mean that SAP uses the Tomcat as web app but doesnโ€™t patch Tomcat; if client updates Tomcat to a new version, SAP may not support the updated web app anymore?

Former Member
โ€Ž2014 Nov 18 12:13 PM
0 Likes

Hello,

The SAP BI Platform may provide new version of Tomcat within its support packages updates.

It is still possible to install a supported version of Tomcat on a different folder and to use it instead rather than updating the provided version.

I hope this helps.

Thanks & Regards,

Insaf


denis_konovalov
Active Contributor
โ€Ž2014 Nov 18 1:24 PM
0 Likes

SAP provides Tomcat as a sample free Java app server to enable immediate deployment and usage of BI Platform.

SAP publishes list of all supported tomcat versions in its PAR (Supported platforms guide).
If customer patches or installs tomcats of their own that are listed as supported in the PAR - SAP will support BI Platform web applications on such tomcats.
If customer installs tomcat or patches it to yet un-supported version - then BI Platform webapps will not be supported by SAP on it.

Ask a Question