SAP NetWeaver ConfigServlet remote command execution
Description
SAP NetWeaver contains a critical vulnerability in the ConfigServlet component that allows unauthenticated remote attackers to execute arbitrary operating system commands. This vulnerability, discovered by ERPScan, exists due to improper access controls on the ConfigServlet interface, which can be exploited without requiring any authentication credentials.
Remediation
Apply the following remediation steps immediately:
1. Install SAP Security Patches:
Apply SAP Security Notes 1467771 and 1445998 through the SAP Support Portal. These patches address the underlying vulnerability in the ConfigServlet component.
2. Disable Invoker Servlet Globally:
Access the SAP NetWeaver Administrator (NWA) and navigate to Configuration Management → Infrastructure → Application Modules → servlet_jsp service. Locate the EnableInvokerServletGlobally property and set its value to false on all server nodes. This prevents unauthorized servlet invocation.
3. Verify Remediation:
After applying patches and configuration changes, restart the affected server nodes and verify that the ConfigServlet is no longer accessible without proper authentication. Test access controls to ensure the vulnerability has been fully mitigated.
4. Review Access Logs:
Examine system and application logs for any suspicious activity or potential exploitation attempts prior to remediation.