This month, SAP has released note 3022622, ‘Code Injection Vulnerability in SAP Manufacturing Integration and Intelligence (MII)'.
In summary this is an issue where an attacker can inject malicious code to the server. Surprisingly this is done through the creation of dashboards. MII dashboards can be saved as JSP through the Self Service Composition Environment (SSCE). This request can be intercepted and the JSP code can be compromised. As the data in the dashboard gets executed, the JSP code now living on the server will be executed to call OS commands. As SAP states in their note “....through which an attacker can read sensitive files in the server, modify files or even delete contents in the server thus compromising the confidentiality, integrity and availability of the server hosting the SAP MII application. “
To protect this from occurring, SAP has provided a fix via the note in which the ability to save a file as JSP through the SSCE will no longer be available. At this point SAP states there is no other work around.
At Avantra, we work with many Manufacturing customers who utilize MII alongside our solution as part of their Common Vulnerability Scoring System (CVSS) process and we want to proactively ensure our MII customers are made aware of this vulnerability.
At Avantra, security always comes first - for both our customers and ourselves. We don’t believe in security through obscurity. We encourage open communication about possible breaches and security concerns such as this note.