Pavel Ignatov - Fotolia
The biggest news this Patch Tuesday may be the patch released for an SAP vulnerability reported twice over the past six years.
Europe's largest software vendor SAP first reported the vulnerability in the Invoker Servlet in 2010, when an initial patch was released, and SAP recommended disabling the vulnerable Java servlet. However, not all SAP users were aware that the vulnerability was linked to custom implementations and configurations.
"This problem of configuration changes is not unique to SAP," said Jake Williams, founder of infosec consulting firm Rendition Infosec in Augusta, Ga. "We have clients with several different enterprise resource planning (ERP) systems that are running in vulnerable configurations due to compatibility requirements with legacy code they have deployed. Many clients build applications on top of ERP systems such as SAP that are in 'run to fail' mode. This may be due to the original developers retiring or the contractor who wrote the application may have gone out of business. In these cases, the organization must run their server in a vulnerable configuration in order to run their critical business apps."
US-CERT issued an alert about the SAP vulnerability this May, warning that attackers were actively exploiting the vulnerability in at least three dozen global enterprises. The exploit activity was reported in May by Boston-based application security firm Onapsis Inc.
"This is just the tip of the iceberg," Onapsis wrote, adding: "Based on our experience helping secure some of the world's largest SAP implementations, we believe that many more organizations (other than the 36 included in this report) may be affected by this threat."
US-CERT recommended that "users and administrators implement SAP Security Note 1445998 and disable the Invoker Servlet," and also pointed to Onapsis' recommendations for detailed instructions on how to disable the servlet.
Alexander Polyakov, CTO and co-founder of ERPScan who created a tool to manually assess SAP Configurations and detect this issue, wrote the issue was "an information disclosure vulnerability ... [that could] transform and consolidate business information from virtually any source system." He said the real difficulty was in patching the Invoker Servlet flaw.
"First, it was necessary to analyze if an invoker servlet is enabled by default, then disable it and reboot the system. After that, you have to manually assess every web service (and there are 500+ of them just in a default J2EE installation) and check if invoker servlet functionality is enabled or disabled," Polyakov wrote; if the servlet is enabled, the next step is to disable it and make sure that no critical services are exposed.
After the US-CERT alert was released, Linn Freedman, a partner at the law firm Robinson+Cole, wrote: "The bottom line is that when software companies, such as SAP, provide patches for security vulnerabilities, it is important to follow the instructions of the company and run the security configurations and recommendations to protect the system from the known vulnerability."
Polyakov warned users that an SAP vulnerability like this one often requires more work to patch than other issues.
"A large number of SAP patches don't exactly fix an issue as it seems to a[n] unexperienced user. This situation relates mostly to configuration issues," Polyakov wrote. "SAP closes most issues by just introducing new parameters, which SAP administrators need to manually enable. That's why one has so many difficulties with securing SAP systems. Simply saying, you can't just implement patch. In most cases, additional configurations are required after that. That's the most important takeaway."
Learn more about the issues of responsible disclosure as researchers overreach on celebrity vulnerability branding.