Details of VAR-201411-0218

ID

VAR-201411-0218

CVE

CVE-2014-8587

TITLE

SAP NetWeaver AS ABAP and SAP HANA Used in SAPCRYPTOLIB In products such as DSA Vulnerability that is forged as a signature

Trust: 0.8

sources: JVNDB: JVNDB-2014-005218

DESCRIPTION

SAPCRYPTOLIB before 5.555.38, SAPSECULIB, and CommonCryptoLib before 8.4.30, as used in SAP NetWeaver AS for ABAP and SAP HANA, allows remote attackers to spoof Digital Signature Algorithm (DSA) signatures via unspecified vectors. Multiple SAP products are prone to to a security vulnerability that may allow attackers to conduct spoofing attacks. An attacker can exploit this issue to conduct spoofing attacks, disclose sensitive information and perform unauthorized actions. This may aid in further attacks. The following products are vulnerable: Versions prior to SAP SAPCRYPTOLIB 5.555.38 Versions prior to SAP SAPSECULIB 8.4.30 Versions prior to SAP CommonCryptoLib 8.4.30

Trust: 1.89

sources: NVD: CVE-2014-8587 // JVNDB: JVNDB-2014-005218 // BID: 71027

AFFECTED PRODUCTS

vendor:	sap	model:	sapseculib	scope:	eq	version:	-	Trust: 1.6
vendor:	sap	model:	sapcryptolib	scope:	lte	version:	5.555.37	Trust: 1.0
vendor:	sap	model:	netweaver	scope:	eq	version:	*	Trust: 1.0
vendor:	sap	model:	commoncryptolib	scope:	lte	version:	8.4.29	Trust: 1.0
vendor:	sap	model:	hana	scope:	eq	version:	-	Trust: 1.0
vendor:	sap	model:	commoncryptolib	scope:	eq	version:	8.4.29	Trust: 0.9
vendor:	sap	model:	commoncryptolib	scope:	lt	version:	8.4.30	Trust: 0.8
vendor:	sap	model:	hana	scope:	-	version:	-	Trust: 0.8
vendor:	sap	model:	netweaver	scope:	-	version:	-	Trust: 0.8
vendor:	sap	model:	sapcryptolib	scope:	lt	version:	5.555.38	Trust: 0.8
vendor:	sap	model:	sapseculib	scope:	lt	version:	8.4.30	Trust: 0.8
vendor:	sap	model:	sapcrytolib	scope:	eq	version:	5.555.37	Trust: 0.6
vendor:	sap	model:	sapseculib	scope:	eq	version:	8.4.29	Trust: 0.3
vendor:	sap	model:	sapseculib	scope:	eq	version:	0	Trust: 0.3
vendor:	sap	model:	sapcryptolib	scope:	eq	version:	5.555.37	Trust: 0.3
vendor:	sap	model:	sapcryptolib	scope:	eq	version:	0	Trust: 0.3
vendor:	sap	model:	netweaver abap	scope:	eq	version:	0	Trust: 0.3
vendor:	sap	model:	hana	scope:	eq	version:	0	Trust: 0.3
vendor:	sap	model:	commoncryptolib	scope:	eq	version:	0	Trust: 0.3
vendor:	sap	model:	sapseculib	scope:	ne	version:	8.4.30	Trust: 0.3
vendor:	sap	model:	sapcryptolib	scope:	ne	version:	5.555.38	Trust: 0.3
vendor:	sap	model:	commoncryptolib	scope:	ne	version:	8.4.30	Trust: 0.3

sources: BID: 71027 // JVNDB: JVNDB-2014-005218 // CNNVD: CNNVD-201411-043 // NVD: CVE-2014-8587

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-8587
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-8587
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201411-043
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2014-8587
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

sources: JVNDB: JVNDB-2014-005218 // CNNVD: CNNVD-201411-043 // NVD: CVE-2014-8587

PROBLEMTYPE DATA

problemtype:

CWE-310

Trust: 1.8

sources: JVNDB: JVNDB-2014-005218 // NVD: CVE-2014-8587

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-043

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201411-043

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005218

PATCH

title:	SAP Security Note 2067859	url:	http://scn.sap.com/docs/DOC-55451	Trust: 0.8
title:	Potential Exposure to Digital Signature Spoofing #ABAP #Netweaver #SAP Note 2067859 http://ow.ly/CMsqF	url:	https://twitter.com/SAP_Gsupport/status/522401681997570048	Trust: 0.8

sources: JVNDB: JVNDB-2014-005218

EXTERNAL IDS

db:	NVD	id:	CVE-2014-8587	Trust: 2.7
db:	SECUNIA	id:	57606	Trust: 1.6
db:	JVNDB	id:	JVNDB-2014-005218	Trust: 0.8
db:	CNNVD	id:	CNNVD-201411-043	Trust: 0.6
db:	BID	id:	71027	Trust: 0.3

sources: BID: 71027 // JVNDB: JVNDB-2014-005218 // CNNVD: CNNVD-201411-043 // NVD: CVE-2014-8587

REFERENCES

url:	http://blog.onapsis.com/sap-security-note-2067859-potential-exposure-to-digital-signature-spoofing/	Trust: 2.7
url:	http://service.sap.com/sap/support/notes/2067859	Trust: 1.9
url:	https://twitter.com/sap_gsupport/status/522401681997570048	Trust: 1.6
url:	http://secunia.com/advisories/57606	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8587	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8587	Trust: 0.8
url:	http://www.saphana.com/welcome	Trust: 0.3
url:	http://scn.sap.com/community/netweaver-portal	Trust: 0.3

sources: BID: 71027 // JVNDB: JVNDB-2014-005218 // CNNVD: CNNVD-201411-043 // NVD: CVE-2014-8587

CREDITS

SAP

Trust: 0.3

sources: BID: 71027

SOURCES

db:	BID	id:	71027
db:	JVNDB	id:	JVNDB-2014-005218
db:	CNNVD	id:	CNNVD-201411-043
db:	NVD	id:	CVE-2014-8587

LAST UPDATE DATE

2024-11-23T22:46:00.389000+00:00

SOURCES UPDATE DATE

db:	BID	id:	71027	date:	2014-10-15T00:00:00
db:	JVNDB	id:	JVNDB-2014-005218	date:	2014-11-06T00:00:00
db:	CNNVD	id:	CNNVD-201411-043	date:	2014-11-05T00:00:00
db:	NVD	id:	CVE-2014-8587	date:	2024-11-21T02:19:23.250

SOURCES RELEASE DATE

db:	BID	id:	71027	date:	2014-10-15T00:00:00
db:	JVNDB	id:	JVNDB-2014-005218	date:	2014-11-06T00:00:00
db:	CNNVD	id:	CNNVD-201411-043	date:	2014-11-05T00:00:00
db:	NVD	id:	CVE-2014-8587	date:	2014-11-04T15:55:07.310