1. Introduction
SAP BusinessObjects Business Intelligence Platform is affected by a Server-Side Request Forgery (SSRF) vulnerability. This allows an unauthenticated attacker to make requests on behalf of the server, potentially accessing internal resources. Systems running versions 410, 420 and 430 are impacted. Successful exploitation could lead to information disclosure, remote file inclusion, or firewall bypass, impacting confidentiality, integrity, and availability.
2. Technical Explanation
The web application does not properly validate user-supplied input when handling CMS parameters. This allows an attacker to inject arbitrary values into these parameters, causing the server to make requests to internal network locations. The vulnerability is tracked as CVE-2020-6308. An example attack involves crafting a malicious request with a manipulated CMS parameter pointing to an internal service.
- Root cause: Missing input validation on CMS parameters within the Web Services component.
- Exploit mechanism: An attacker sends a specially crafted HTTP request containing a malicious CMS parameter that directs the server to access an internal resource. For example, using a URL like
http://[target]/BOBJ/openDocument?cms=. - Scope: SAP BusinessObjects Business Intelligence Platform Web Services versions 410, 420 and 430 are affected.
3. Detection and Assessment
Confirming vulnerability requires checking the installed version of the platform. Thorough assessment involves attempting to access internal resources via crafted requests.
- Quick checks: Check the BusinessObjects Central Management Console for the installed version.
- Scanning: Nessus plugin ID 139658 may detect this vulnerability, but results should be verified manually.
- Logs and evidence: Examine web server logs for requests containing unusual CMS parameters or attempts to access internal IP addresses. Look for HTTP GET requests with modified CMS values.
# No specific command available for direct detection; version check via Central Management Console is recommended.4. Solution / Remediation Steps
Apply the patch or upgrade provided by SAP as detailed in their advisory. These steps aim to address the input validation flaw.
4.1 Preparation
- Ensure you have access to the latest SAP patch or upgrade package. A roll back plan involves restoring from backup if issues occur.
- A change window may be required, depending on your environment. Approval from the security team is recommended.
4.2 Implementation
- Step 1: Download the latest SAP patch or upgrade package for your BusinessObjects version.
- Step 2: Stop the Web Services component in Central Management Console.
- Step 3: Install the downloaded patch or upgrade following SAP’s official documentation.
4.3 Config or Code Example
Before
# No specific configuration example available; vulnerability is in application code. Input validation needs updating.After
# After applying patch, input validation should be implemented to prevent arbitrary CMS parameter values.4.4 Security Practices Relevant to This Vulnerability
Practices that directly address this vulnerability type include least privilege and input validation.
- Practice 1: Implement the principle of least privilege for all service accounts, reducing the impact if exploited.
- Practice 2: Enforce strict input validation on all user-supplied data to block malicious requests.
4.5 Automation (Optional)
Automation is not directly applicable due to the nature of this vulnerability requiring a patch or upgrade.
# No automation script available for direct fix application; patching requires manual intervention.5. Verification / Validation
- Post-fix check: Verify the BusinessObjects Central Management Console shows the updated patch level.
- Re-test: Attempt the earlier exploitation steps with a crafted request; it should no longer succeed.
- Monitoring: Monitor web server logs for any failed requests containing unusual CMS parameters.
# No specific command available; re-test exploitation steps to confirm mitigation.6. Preventive Measures and Monitoring
Update security baselines and implement input validation checks in CI/CD pipelines.
- Baselines: Update your security baseline or policy to include the latest SAP patch level for BusinessObjects.
- Pipelines: Add static application security testing (SAST) tools to your CI/CD pipeline to identify similar input validation flaws.
- Asset and patch process: Implement a regular patch review cycle for all critical systems, including SAP BusinessObjects.
7. Risks, Side Effects, and Roll Back
Patching may cause temporary service disruption or compatibility issues with custom reports.
- Risk or side effect 1: Patch installation could lead to short-term service downtime.
- Roll back: Restore the BusinessObjects Central Management Console and database from backup if patching fails or causes significant issues.
8. References and Resources
Link only to sources that match this exact vulnerability.
- Vendor advisory or bulletin: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
- NVD or CVE entry: CVE-2020-6308
- Product or platform documentation relevant to the fix: No specific link available; refer to SAP’s official patch documentation.