The Invoker Servlet: A Practical Case for Protecting Your SAP Systems from Vulnerabilities

  • by Juan Pablo Perez-Etchegoyen, CTO, Onapsis
  • September 2, 2016
Learn the steps to take to close the security gap potentially opened in SAP systems by the Invoker Servlet vulnerability.
Learning Objectives

After reading this article, you’ll know:

  • What the Invoker Servlet vulnerability is
  • How to detect, mitigate, and protect SAP systems from this vulnerability
  • How to implement a proper SAP cybersecurity strategy to ensure that SAP applications are fully protected against potential future breaches
Key Concept

On May 11, 2016, the Department of Homeland Security (DHS) issued the first-ever United States Computer Emergency Readiness Team (US-CERT) Alert (TA16-132A) for SAP applications. This CERT Alert was issued due to multiple unauthorized exploitations of a more than five-year-old vulnerability affecting SAP Java applications that were exposed to the Internet. This vulnerability is referred as the Invoker Servlet (CVE-2010- 5326).

Many factors cause SAP applications to require special measures from a security standpoint, including complexity, criticality, change management, customizations, SAP knowledge, and misconceptions about SAP cyber security. I briefly discuss each of these factors.

Complexity. SAP systems are not standalone applications that run somewhere in your organization and are accessed by a handful of people. Instead, when a company implements an SAP system, many SAP products are usually included as a part of the implementation. These products are all interconnected and are constantly exchanging information.

Criticality. SAP applications are a critical component to any organization as they house mission-critical information and processes. For example, SAP applications are used to process purchase orders, store customer and HR information, and house intellectual property (IP) such as formulas and information necessary for daily operations of every organization.

Change management. Downtime is not an option for SAP applications. To control and prevent downtime, strong change management processes are implemented around SAP applications.

Customizations. SAP applications are heavily customized to map real business processes defined by an organization. This customization adds an extra layer on top of the SAP standard applications, which is commonly referred to as customizations.

SAP knowledge. SAP applications are not traditional web applications. These applications are typically developed using proprietary languages, and their architecture leverages proprietary protocols and concepts that are unique to these systems. Therefore, the knowledge required to understand security risks, vulnerabilities, and misconfigurations around these systems is unique.

Misconceptions about SAP cybersecurity. SAP security teams have existed since the first SAP implementations took place. However, these teams often are focused on managing roles, profiles, and authorizations to ensure that every employee can perform only the activities they are supposed to. This narrow focus on user access has created a gap in security posture, as securing SAP applications should involve much more than segregation of duties.

Because of the previously mentioned factors, organizations are often not properly protecting SAP applications. This lack of proper security leaves them exposed to potential cyber-attacks that can be triggered through unpatched vulnerabilities, or insecure configurations of the SAP system.

The Alert

The U.S. Department of Homeland Security (DHS) released the first-ever US-CERT Alert on cybersecurity risks affecting SAP business applications. This alert forewarns cybersecurity professionals about the significance and implications of a more than five-year-old SAP vulnerability known as the Invoker Servlet (patched by SAP in 2010) that was leveraged to exploit the SAP systems of 36 large-scale global enterprises. The exploitation of these systems was publicly disclosed during 2013-2016 at a digital forum registered in China.

In early 2016, the Onapsis Research Labs became aware of this issue and decided to dig deeper into the topic. Onapsis soon realized that public information about these exploitations had been sitting in the public domain for several years. As the research indicates, cyber-attackers could be actively exploiting global organizations (beyond the original 36 enterprises) to access mission-critical information, and to potentially fully compromise systems. 

The Vulnerability

The SAP Java 2 Platform Enterprise Edition (J2EE) Application Server has a wide set of built-in functionality, providing a comprehensive framework of libraries and services to support the development and deployment of Java applications. One of these functionalities is the Invoker Servlet, which is part of the standard J2EE specification of Sun (now Oracle). It was conceived as a rapid development instrument, allowing developers to test their custom Java applications very quickly.

When enabled, this feature allows anyone to call specific applications without requiring authentication, which implies a security risk. The Invoker Servlet attack (sometimes referred to as the Invoker Servlet Detour) is the vulnerability caused by the previously mentioned feature and allows remote malicious hackers to bypass authentication mechanisms and perform unauthorized business activities via the vulnerable SAP applications. The potential impact of its exploitation is the complete compromise of the SAP system.

Juan Pablo Perez-Etchegoyen

Juan Pablo Perez-Etchegoyen is chief technology officer at Onapsis. He is responsible for the coordination of the development and research activities, focused on SAP and other ERP systems.

Juan will be presenting at the upcoming Cybersecurity for SAP Customers 2017 conference, November 29-December 1, 2017, in Las Vegas. For information on the event click here.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.