CVE-2016-9563

What Is SAP NetWeaver Application Server Java?

SAP NetWeaver Application Server Java (AS Java) is the Java EE application platform underpinning SAP's enterprise middleware — including the SAP Enterprise Portal, SAP Process Integration (PI), Business Process Management (BPM), and hundreds of SAP applications. NetWeaver AS Java processes business documents, messages, and XML data for enterprise workflow, integration, and automation. It is deployed in the largest enterprises, financial institutions, and government organizations worldwide as core business infrastructure.

BC-BMT-BPM-DSK (Business Process Management Desktop) is the NetWeaver AS Java component for the Business Process Management runtime and its web-based desktop interface. It processes XML data for business process definitions and workflow items.

Overview

CVE-2016-9563 is an XML External Entity (XXE) injection vulnerability in the BC-BMT-BPM-DSK component of SAP NetWeaver Application Server Java. An authenticated attacker with low-privilege access to the SAP portal can send crafted XML requests that cause the SAP server to resolve external XML entities — reading arbitrary files from the server's filesystem or making server-side HTTP requests to internal systems. SAP released Security Note 2380729 to address this vulnerability. CISA added CVE-2016-9563 to the KEV catalog in November 2021, among the first batch of KEV entries.

Affected Versions

Consult SAP Security Note 2380729 and the SAP Support Portal for the specific support packages and patch levels that contain the fix.

Technical Details

Root Cause: XML Parser External Entity Resolution

CVE-2016-9563 is an XXE injection vulnerability (CWE-611). The BC-BMT-BPM-DSK component of NetWeaver AS Java parses XML documents submitted via web requests as part of the Business Process Management workflow. The XML parser is configured to resolve external entities — an XML feature that allows a document to reference external files or URLs using the <!ENTITY> declaration syntax.

XXE attack mechanism:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<request><data>&xxe;</data></request>

When the NetWeaver XML parser processes this document, it resolves &xxe; by reading /etc/passwd and substituting the file's contents into the XML. The server's response then contains the file contents.

Capabilities enabled by XXE:

• Local file disclosure — reading any file accessible to the SAP AS Java process, including SAP configuration files, security credentials, private keys, and OS files
• SSRF (Server-Side Request Forgery) — using http:// external entities to make the SAP server fetch URLs from internal networks inaccessible to the attacker (internal services, SAP backend systems, AWS metadata endpoint)
• SAP configuration extraction — reading SAP DEFAULT.PFL, sec/passwd_hash files, and similar configuration files containing hashed passwords or encryption keys

SAP Enterprise Targeting Value

SAP NetWeaver is the backbone of enterprise ERP systems — reading SAP system configuration, passwords, or ABAP backend connection strings from an XXE can provide credentials enabling further lateral movement to the SAP ABAP backend:

• SAP Java–ABAP RFC connection credentials extracted via XXE enable direct access to the ABAP system processing business transactions
• SAP enterprise portals host sensitive business data including HR records, financial information, and strategic planning data

Attack Characteristics

Discovery

Reported through SAP's coordinated disclosure process; SAP patched via Security Note 2380729 in November 2016. Added to CISA KEV in November 2021 as part of the initial KEV catalog launch batch, reflecting CISA's high confidence in active exploitation.

Exploitation Context

• SAP as high-value enterprise target: SAP systems process the most sensitive business data in the world — financial transactions, HR records, supply chain data, and strategic business information; nation-state actors and ransomware groups specifically target SAP systems for espionage and data exfiltration
• Authenticated but low-barrier exploitation: The PR:L (low-privilege authentication required) means any SAP portal user — including business users with read-only access, contractors, or compromised service accounts — can exploit the vulnerability; SAP enterprise portals often have thousands of accounts
• SAP security patching lag: SAP's complex patch dependency system (Support Package Stacks) makes patching slow in practice; security notes may sit unpatched for months or years while organizations wait for testing cycles; this creates a long exploitation window for known SAP vulnerabilities
• XXE as credential harvester: XXE against SAP can extract the SAP system's configuration files containing backend ABAP system credentials, enabling an attacker to pivot from a low-privilege portal user to full control of the SAP ABAP core
• CISA KEV (2021): Added November 3, 2021 in the initial KEV batch, alongside CVE-2016-7255 and others — reflecting confirmed active exploitation of older SAP vulnerabilities in attack campaigns

Remediation

1. Apply SAP Security Note 2380729 — log into the SAP Support Portal and apply the security note for your NetWeaver AS Java SP level. This configures the XML parser to disable external entity resolution in the BC-BMT-BPM-DSK component.

2. Apply all current SAP Security Notes — review SAP's monthly Security Patch Day notes and apply all applicable security patches; SAP releases security notes on the second Tuesday of each month.

3. Disable XML external entity processing in SAP XML parsers — if supported by your SAP version, configure SAP's XML parser settings to globally disable DOCTYPE declarations and external entity resolution as a defense-in-depth measure.

4. Restrict network access to SAP NetWeaver — SAP NetWeaver should not be directly internet-accessible; place it behind a reverse proxy or WAF with strict allowlists for expected request patterns.

5. Implement SAP-aware WAF rules — deploy a Web Application Firewall with SAP-specific rules that block XML requests containing DOCTYPE declarations or ENTITY references.

6. Audit SAP user accounts and minimize privileges — restrict the number of accounts with access to the BC-BMT-BPM-DSK web interface; apply principle of least privilege; disable inactive accounts.