#################################################################################################### # # COMPASS SECURITY ADVISORY https://www.compass-security.com #################################################################################################### # # CVE ID: CVE-2016-6859 # Product: SAP Hybris [1] # Vendor: SAP [2] # Subject: Information Disclosure through Error Stack Traces in the Hybris Management Console (HMC) # Risk: Low # Effect: Exploitable by Authenticated Hybris Users # Author: Damian Pfammatter (advisories@compass-security.ch) # Date: September 14th 2016 # #################################################################################################### Introduction: ------------- SAP Hybris is an enterprise-grade multichannel e-commerce and product content management (PCM) software [1], developed by Hybris - a German subdivision of the SAP AG [2]. Damian Pfammatter of Compass Security Schweiz AG [3] identified an Information Disclosure (CVE-2016-6859) vulnerability in the Hybris Management Console (HMC), which could potentially leak implementation details to low-privileged Hybris users. Affected Versions / Hotfix: --------------------------- Detailed error messages in SAP Hybris are only shown if the developer mode is on. Versions prior to 6.0 enable the developer mode by default. Starting with version 6.0, the developer mode is turned off by default and has to be enabled explicitely if required. Developer mode is recommended to be turned off in productive environments. Technical Description: ---------------------- CVE-2016-6859: Information Disclosure through Error Stack Traces in the HMC Authenticated users in the HMC can trigger unexpected errors that are not correctly caught. In consequence, entire Java stack traces, containing potentially sensitive implementation details, are returned to the end-user. As such, malicious users can learn implementation details about the HMC application and potentially use them to adjust further attacks. Timeline: --------- 2016-03-15: Vulnerability discovered 2016-04-04: Initial vendor notification 2016-05-20: Vendor confirmed security issue 2016-06-14: Vendor released security fix & guidance to its customers 2016-09-14: Vendor informed about public advisory 2016-09-27: Vendor provided detailed version information and requested extension before disclosure 2016-10-28: Public disclosure References: ----------- [1]: https://www.hybris.com [2]: http://go.sap.com [3]: https://www.compass-security.com/research/advisories/ [4]: http://scn.sap.com/docs/DOC-55451