Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP RECON Vulnerability - Validation method issue

Former Member

on ‎2020 Aug 24 6:36 PM

0 Likes
1,150

Hi,

Extracted from the SAP Note #2939665 there are two methods to verify if the vulnerable URL is blocked, by a POST call or a WS Navigator, but using the public python PoC, and after seeing the code myself, it seems that a GET call works too to proof if a server is vulnerable.

Could you confirm this? And if yes, Could you change the details in the SAP Note #2939665?

Thanks in advance.

Regards

Javier

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
cris_hansen
Product and Topic Expert
Product and Topic Expert
‎2020 Aug 24 6:43 PM

Hello Javier,

If you have the same 404 HTTP error when using the GET method, then you see that the URL is blocked.

About a change in the details in SAP Note 2939665, this should be addressed via Support Incident, under BC-INS-CTC component, owner of the SAP Note.

Related to this topic, you can also read KBA 2948106 - FAQ - for SAP Note 2934135 - [CVE-2020-6287] Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard).

Regards,

Cris

Show replies
Show replies
Former Member
‎2020 Aug 24 11:38 PM
0 Likes

Thanks for the reply.

So it means that "yes" a GET call is also valid to verify the vulnerability. Would you agree?

In addition:

Would the part "?wsdl" call from the URL: https://<host>:<port>/CTCWebService/CTCWebServiceBean?wsdl also indicates that a system is vulnerable?

Would it be a good practice to scan for this vulnerability on all the possible JAVA ports reported by SAP here?

Regards.

Javier

cris_hansen
Product and Topic Expert
Product and Topic Expert
‎2020 Aug 24 11:52 PM
0 Likes

Hi Javier,

The purpose of the GET or POST methods are to have the 404 HTTP error returned. If you get this response, then it means that you have correctly performed the fix from SAP Note 2939665.

Regards,

Cris

Ask a Question