CVE-2016-9563

Name of the Vulnerable Software and Affected Versions SAP NetWeaver AS JAVA version 7.5

Description The issue is related to an XML External Entity (XXE) vulnerability in the BC-BMT-BPM-DSK component of SAP NetWeaver AS JAVA. This vulnerability allows remote authenticated users to conduct XXE attacks via the "sap.comtcbpemhimuwlconnproviderweb/bpemuwlconn" URI. The vulnerability is associated with insufficient restrictions on XML external entities, which can be exploited by a remote attacker to conduct XXE attacks.

Recommendations For SAP NetWeaver AS JAVA version 7.5, apply the fix provided in SAP Security Note 2296909 to resolve the issue. As a temporary workaround, consider restricting access to the BC-BMT-BPM-DSK component to minimize the risk of exploitation. Avoid using the vulnerable URI "sap.comtcbpemhimuwlconnproviderweb/bpemuwlconn" until the issue is resolved.