SAP NetWeaver Java AS WD_CHAT information disclosure vulnerability
Description
SAP NetWeaver Java Application Server contains an information disclosure vulnerability in the Web Dynpro Real Time Collaboration (RTC) chat application (WD_CHAT component). This vulnerability allows unauthenticated remote attackers to access sensitive system information without requiring any credentials. The exposed data includes complete lists of SAP users, groups, and role assignments, which should be restricted to authenticated administrators only.
Remediation
Apply SAP Security Note 2255990 immediately to remediate this vulnerability. Follow these steps:
1. Log in to the SAP Support Portal (https://support.sap.com) with appropriate credentials
2. Download SAP Security Note 2255990 and review all implementation instructions
3. Apply the security patch to all affected SAP NetWeaver Java AS instances running the WD_CHAT component
4. Verify the patch installation by attempting to access the WD_CHAT user enumeration endpoint without authentication
5. Review access logs for any evidence of exploitation prior to patching
6. Consider implementing network-level access controls to restrict access to Web Dynpro applications to trusted networks only