Vulnerability Note VU#989719

SAP BusinessObjects Axis2 Default Admin Password

Original Release date: 13 Oct 2010 | Last revised: 14 Oct 2010

Overview

The Axis2 component of SAP BusinessObjects contains a default administrator account and password.

Description

The SAP BusinessObjects product contains a module (dswsbobje.war) which deploys Axis2 with an administrator account which is configured with a static password.  As a result, anyone with access to the Axis2 port can gain full access to the machine via arbitrary remote code execution. This requires the attacker to upload a malicious web service and to restart the instance of Tomcat. This issue may apply to other products and vendors that embed the Axis2 component. The username is "admin" and the password is "axis2", this is also the default for standalone Axis2 installations. Additional details may be found in the Rapid7 R7-0037 Advisory.

Impact

An attacker can execute arbitrary code by creating a malicious web service (jar). The attacker can log in to the Axis2 component with the default admin account, upload the malicious web service, and upon restart the malicious code will be executed.

Solution

The vendor has addressed this vulnerability in SAP Security Note 1432881.

Users should change the admin default password. This can be done by modifying the password value within axis2.xml

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
SAPAffected05 Oct 201013 Oct 2010
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Joshua Abraham and Will Vandevanter for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2010-0219
  • Date Public: 13 Oct 2010
  • Date First Published: 13 Oct 2010
  • Date Last Updated: 14 Oct 2010
  • Document Revision: 17

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.