SAP NetWeaver Application Server Java Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in SAP NetWeaver Application Server Java. This vulnerability allows an attacker to access an endpoint that reveals details about deployed server components, including their XML definitions. Ideally, this information should be restricted to customer administrators. The exposed XML files, while not entirely internal to SAP, are deployed with the server. As a result, sensitive information could be leaked without compromising its integrity or availability.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information about server components and their configurations, potentially allowing for further attacks or exploitation of other vulnerabilities.

Remediation

Users are advised to review and implement the SAP Security Notes available in SAP for Me. Security fixes for SAP NetWeaver based products are delivered with the support packages. For details on the SAP Security Patch Day schedule and how to access SAP Security Notes, refer to the SAP Security Notes FAQ.