Nowadays the SAP NetWeaver platform is the one of the most widespread platforms for developing and integrating enterprise business applications. It’s becoming a popular security topic, but due to its complexity it is still not covered well.
If you are interested in SAP security you may know about previous attack fields in SAP like: RFC protocol, SAPGUI, SAP Router, SAP Web, ABAP code, but there was no any information about one of the biggest areas of SAP – J2EE Engine.
This paper by Alexander Polyakov focuses on one of the black holes called SAP J2EE engine. Some of the business- critical SAP products like SAP Portal, SAP Mobile, SAP XI, SAP PI, SAP Solution Manager and many other SAP’s or custom applications lay on J2EE engine which is apart from ABAP engine is less discussed but also have security issues.
In this paper Alexander Polyakov explains the architecture of SAP J2EE engine and its internals. Also discusses are a number of previously unknown architecture and program vulnerabilities from auth bypasses, smbrelays, internal scans, information discloses, invoker servlet bypasses, insecure encryption algorithms and cross-system vulnerabilities in the J2EE platform.
The complete whitepaper is available here.