SAP NetWeaver AS JAVA IIOP Service Object Identifier Prediction Vulnerability

A vulnerability exists in the SAP NetWeaver AS JAVA IIOP service due to insufficient randomness in the assignment of Object Identifiers. This flaw allows an authenticated attacker with low privileges to predict identifiers through brute force methods. By analyzing identifiers generated in close temporal proximity, the attacker could identify a specific identifier to access limited system information. While this vulnerability poses a low risk to confidentiality, it does not affect the integrity or availability of the service.

Impact

Exploitation of this vulnerability could lead to unauthorized access to limited system information, potentially allowing an attacker to infer or manipulate data based on the accessed information.

Remediation

Users are advised to review and implement the latest SAP Security Notes. Security fixes for SAP NetWeaver based products are delivered with the support packages. For information on the latest SAP Security Notes, consult the SAP Security Patch Day Bulletin.