SAP NetWeaver ipcpricing server side request forgery
Description
The SAP NetWeaver ipcpricing application contains a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to manipulate the server into making unauthorized HTTP requests on their behalf. This vulnerability enables attackers to abuse the server as a proxy to access internal network resources, scan ports behind firewalls, or retrieve sensitive files using protocols like file://, gopher://, or tftp://. By exploiting this flaw, attackers can bypass network security controls that would normally prevent direct access to protected systems and resources.
Remediation
Apply SAP Security Note 1545883 immediately to remediate this vulnerability. Follow these steps:
1. Log in to the SAP Service Marketplace and download Security Note 1545883
2. Review the note carefully to understand all affected components and required changes
3. Apply the security patch to all affected SAP NetWeaver systems running the ipcpricing application
4. After patching, verify that the BufferOverview.jsp endpoint properly validates and restricts URL parameters to prevent SSRF attacks
5. Consider implementing additional network-level controls such as egress filtering to limit outbound connections from SAP application servers
6. Test the application thoroughly in a non-production environment before deploying to production systems