SAP BusinessObjects Security Patch Released

SAP has released a security patch for certain versions of SAP BusinessObjects for the Axis2 component. According to the US-CERT write-up:

… anyone with access to the Axis2 port can gain full access to the machine via arbitrary remote code execution. This requires the attacker to upload a malicious web service and to restart the instance of Tomcat. This issue may apply to other products and vendors that embed the Axis2 component. The username is “admin” and the password is “axis2”, this is also the default for standalone Axis2 installations.

For further details please refer to the links below. An exploit is currently available for this.

References:
http://www.kb.cert.org/vuls/id/989719
http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf?bcsi_scan_896CC636179ADAAE=0&bcsi_scan_filename=Hacking%20SAP%20BusinessObjects.pdf
https://websmp230.sap-ag.de/sap/support/notes/1432881 (requires login)

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Leave a Reply