CVE-2019-0283

Name of the Vulnerable Software and Affected Versions SAP NetWeaver Process Integration (Adapter Engine) versions prior to 7.10 SAP NetWeaver Process Integration (Adapter Engine) versions 7.10 to 7.11 SAP NetWeaver Process Integration (Adapter Engine) version 7.30 SAP NetWeaver Process Integration (Adapter Engine) version 7.31 SAP NetWeaver Process Integration (Adapter Engine) version 7.40 SAP NetWeaver Process Integration (Adapter Engine) version 7.50

Description The issue is related to Digital Signature Spoofing, allowing an attacker to spoof XML signatures and send arbitrary requests to the server via the PI Axis adapter. These requests will be accepted by the PI Axis adapter even if the payload has been altered, especially when the signed element is the body of the XML document. The vulnerability is also associated with inadequate access control, which can be exploited by a remote attacker to send arbitrary requests to the server through the PI Axis adapter.

Recommendations For SAP NetWeaver Process Integration (Adapter Engine) versions prior to 7.10, update to version 7.10 or later. For SAP NetWeaver Process Integration (Adapter Engine) versions 7.10 to 7.11, update to version 7.30 or later. For SAP NetWeaver Process Integration (Adapter Engine) version 7.30, update to version 7.31 or later. For SAP NetWeaver Process Integration (Adapter Engine) version 7.31, update to version 7.40 or later. For SAP NetWeaver Process Integration (Adapter Engine) version 7.40, update to version 7.50 or later. For SAP NetWeaver Process Integration (Adapter Engine) version 7.50, no specific fix is provided, consider restricting access to the PI Axis adapter to minimize the risk of exploitation.