SAP IGS XXE (CVE-2018-2392, CVE-2018-2393)
Description
SAP Internet Graphics Server (IGS) versions 7.20, 7.20EXT, 7.45, 7.49, and 7.53 contain an XML External Entity (XXE) injection vulnerability that can be exploited without authentication. This flaw allows attackers to manipulate XML input processed by the IGS service, potentially leading to unauthorized access to sensitive system resources and information disclosure.
Remediation
Apply the official SAP security patches released in February 2018 for the affected SAP Internet Graphics Server versions. Follow these steps:
1. Review the SAP Security Patch Day bulletin for February 2018 to identify the specific patches applicable to your IGS version
2. Download the appropriate security patches from the SAP Support Portal
3. Schedule a maintenance window and apply the patches following SAP's installation guidelines
4. Verify the patch installation by checking the IGS version and testing XML processing functionality
5. As an additional defense-in-depth measure, configure XML parsers to disable external entity processing and DTD resolution where possible
6. Implement network segmentation to restrict IGS access to only authorized systems and users