2317318 - CERT Alert TA16-132A: How-to validate Java systems about property EnableInvokerServletGlobally

Overview

The CERT alert TA16-132A describes a vulnerability in SAP Java systems about the "Invoker Servlet".

While the vulnerability in question, the “Invoker Servlet”, was already fixed by SAP in SAP NetWeaver 7.20 with SAP Security Note 1445998, this topic may be still of relevance for you. Configuration changes such as these were known to break custom software development by the customer, and this is the reason why the feature was not disabled by default in releases older than SAP NetWeaver 7.20. There may be older versions in use, e.g. in SAP Solution Manager 7.1 or other double stack systems like BI, PI, and even ERP, that need to be maintained. Upgraded versions where the weak configuration setting survived the upgrades may exist as well.

This KBA describes how to identify affected Java systems by using the application Configuration Validation of the SAP Solution Managers to run a cross-system analysis.

Solution for the vulnerability 

The solution is availabe as of 2010 as described in note 1445998 - Disabling invoker servlet

Good news: The Invoker Servlet has been disabled by default as of Java release 7.20.

However, keep in mind that older releases, i.e. Java release 7.02, are still in use with up-to-date products from SAP. Even if you regularly patch your systems with Support Packages – which is very important to solve other security vulnerabilities - you still need to set the security related switch about the Invoker Servlet in these releases below Java release 7.20.

Ensure, to check all SAP products which are installed with a Java server, i.e. the Portal or double stack systems like ERP, PI or the SAP Solution Manager. Disable the vulnerable feature manually by changing the value of property EnableInvokerServletGlobally of service servlet_jsp on the server nodes to false.

Here is an example showing the navigation path to this property in Java release 7.02:

Check in “System Management” – “Configuration” – “System Properties” – “Global Server Configuration” that in the “Services” tab in “servlet_jsp” the property “EnableInvokerServletGlobally” is set to “false”.

If you do not see the property then upgrade to releases respective support packages described in note 1445998 so that you are not only able to detect usage of the Invoker Servlet and switch the property, but also use SAP applications on top which have gotten rid of the Invoker Servlet in those SPs (see related notes section of this KBA).

The same property exist on the server nodes of the system (but not on the dispatcher node) either as a refencence to the global value or as an individual value of that server node. Verify that the property has the correct value on all server nodes. If the value is set individually on a server node you can restore the global value by choosing the corresponding button which shows up only in this case:

Related notes

Old applications - either from SAP or created as a custom application - may rely on using the invoker servlet.
The attachment of note  1445998 describes how to identify such use of the invoker servlet.

After disabling the invoker servlet you get the following 403 response code for such applications:
Error: Servlet with class <class name> cannot be loaded.

SAP had updated several applications to use individual servlets instead and does not use it anymore for productive applications:

Note 1460635 - RWB link "Index Administration" shows error 403 - forbidden
Note 1463661 - Open SQL monitors: Servlets cannot be loaded
Note 1467771 - Disabling invoker servlet in the portal
Note 1488846 - CRM ECO. Security - Invoker Servlet
Note 1535301 - Invoker Servlet Fix for IS-M/AMC
Note 1537663 - Biller Direct, Security - Invoker Servlet
Note 1589525 - Verb Tampering issues in CTC
Note 1598246 - Servlet declaration missing for LWC SOAP Dispatcher servlet
Note 1802092 - PDF display error due to invoker servlet disabled in NW 7.3
Note 1900752 - VSCANTEST Application returns 403 response code

(There might exist more notes.)

TA16-132A Invoker Servlet EnableInvokerServletGlobally servlet_jsp , KBA , security , ta16-132a , invoker servlet , BC-JAS-WEB , Web Container, HTTP, JavaMail, Servlets , XX-SER-BOSEC , AGS SEC Backoffice , How To