SAP BO BIP SSRF (CVE-2020-6308)
Description
SAP BusinessObjects Business Intelligence Platform (BO BIP) contains a Server-Side Request Forgery (SSRF) vulnerability that allows unauthenticated attackers to manipulate CMS (Central Management Server) parameters. By injecting arbitrary values into these parameters, attackers can force the server to perform network lookups and make requests to internal systems that are normally isolated from external access. This vulnerability enables attackers to bypass network segmentation and interact with internal resources through the vulnerable SAP server.
Remediation
Apply the security patches provided by SAP immediately by following these steps:
1. Identify Affected Systems: Determine which SAP BusinessObjects BI Platform installations are running vulnerable versions
2. Apply SAP Security Patches: Download and install the patches referenced in SAP Security Note 2939665, which addresses CVE-2020-6308
3. Verify Patch Installation: Confirm successful patch deployment by checking the system version and testing CMS parameter validation
4. Implement Network Segmentation: As a defense-in-depth measure, restrict outbound network access from SAP BO BIP servers to only necessary destinations using firewall rules
5. Monitor for Exploitation: Review server logs for suspicious CMS parameter values or unexpected outbound connection attempts to internal IP ranges
6. Apply Least Privilege: Ensure the SAP BO BIP service account has minimal network permissions required for legitimate operations
For detailed patch installation instructions, consult SAP Security Note 2939665 available through the SAP Support Portal.