On 13.12.2022 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within Java.
SAP Note 3267780 addresses "[CVE-2022-41271] Improper access control in SAP NetWeaver AS Java (Messaging System)" to prevent missing authorization check with a hot news risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specificationAn unauthenticated user can attach to an open interface exposed through JNDI by the Messaging System of SAP NetWeaver AS Java. This user can make use of an open naming and directory api to access services which could perform unauthorized operations.
The affected code has been updated with authorization checks in all affected public methods.
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for