CVE-2024-42374
📋 TL;DR
This XML injection vulnerability in SAP BEx Web Java Runtime Export Web Service allows attackers to retrieve sensitive information from SAP ADS systems and cause denial of service by exhausting XMLForm services. It affects confidentiality through data exposure and availability by making PDF rendering unavailable. Organizations using affected SAP Business Explorer components are vulnerable.
💻 Affected Systems
- SAP Business Explorer (BEx) Web Java Runtime Export Web Service
📦 What is this software?
Bex Web Java Runtime Export Web Service by Sap
View all CVEs affecting Bex Web Java Runtime Export Web Service →
Bex Web Java Runtime Export Web Service by Sap
View all CVEs affecting Bex Web Java Runtime Export Web Service →
Bex Web Java Runtime Export Web Service by Sap
View all CVEs affecting Bex Web Java Runtime Export Web Service →
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of SAP ADS system data, permanent denial of PDF rendering services, and potential lateral movement within SAP landscape.
Likely Case
Information disclosure of sensitive business data and temporary unavailability of PDF generation functionality.
If Mitigated
Limited impact with proper input validation and service isolation, potentially only minor service degradation.
🎯 Exploit Status
Exploitation requires understanding of SAP XMLForm services and BEx Web architecture, but XML injection is a well-known attack vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to SAP Note 3485284 for specific patch information
Vendor Advisory: https://me.sap.com/notes/3485284
Restart Required: Yes
Instructions:
1. Review SAP Note 3485284 for your specific SAP version. 2. Apply the security patch from SAP Support Portal. 3. Restart affected SAP services. 4. Validate XML input validation is functioning.
🔧 Temporary Workarounds
Disable Export Web Service
allTemporarily disable the vulnerable BEx Web Java Runtime Export Web Service if not required for business operations.
Specific commands depend on SAP system configuration; consult SAP administration documentation
Implement XML Input Validation
allAdd additional XML schema validation and input sanitization at network perimeter or application layer.
Implement XML schema validation in web service configuration
Use SAP security notes for input validation best practices
🧯 If You Can't Patch
- Implement network segmentation to isolate SAP ADS systems from untrusted networks
- Deploy web application firewall with XML injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check SAP system version against affected versions in SAP Note 3485284 and verify BEx Web Java Runtime Export Web Service is enabled.Check Version:
Use SAP transaction SM51 or RZ10 to check system version and component detailsVerify Fix Applied:
Verify patch installation via SAP transaction SPAM/SAINT, then test XML input validation with controlled test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual XML payloads to BEx Web services
- Multiple failed XMLForm service requests
- SAP ADS system access from unexpected sources
Network Indicators:
- XML requests with injection patterns to Export Web Service endpoints
- High volume of XMLForm service requests
SIEM Query:
source="sap_logs" AND (message="XMLForm" OR message="BEx Export") AND (message="error" OR message="exception")