SAP BO BIP XXE (CVE-2022-28213)
Description
SAP BusinessObjects Business Intelligence Platform (BO BIP) SOAP Web Services contains an XML External Entity (XXE) injection vulnerability (CVE-2022-28213). This flaw allows authenticated attackers to submit specially crafted XML requests that are improperly parsed by the application, enabling them to reference external entities. Successful exploitation can lead to unauthorized file disclosure, server-side request forgery (SSRF), or denial-of-service conditions.
Remediation
Apply the security patches provided by SAP immediately to remediate this vulnerability:
1. Update SAP BO BIP: Upgrade to the latest patched version of SAP BusinessObjects Business Intelligence Platform as specified in SAP Security Note 3158145. Consult SAP's official security advisories for your specific version.
2. Disable External Entity Processing: If immediate patching is not possible, configure XML parsers to disable external entity resolution as a temporary mitigation. For Java-based parsers, apply the following settings:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);3. Network Segmentation: Restrict outbound network connections from the SAP BO BIP server to prevent SSRF exploitation.
4. Verify Remediation: After applying patches, conduct vulnerability scanning to confirm the XXE vulnerability has been successfully mitigated.