CVE-2016-2386
Published: 16 February 2016
Summary
CVE-2016-2386 is a critical-severity SQL Injection (CWE-89) vulnerability in Sap Netweaver Application Server Java. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a SQL injection flaw, identified as CWE-89, in the UDDI server component of SAP NetWeaver J2EE Engine 7.40. It enables remote attackers to execute arbitrary SQL commands through unspecified vectors and carries a CVSS 3.1 base score of 9.8 reflecting network-accessible exploitation without authentication or user interaction.
Remote unauthenticated attackers can leverage the flaw to run arbitrary SQL statements against the backend database, resulting in impacts across confidentiality, integrity, and availability that may include data exfiltration, modification, or service disruption.
SAP addressed the issue via Security Note 2101079; public references including exploit code on GitHub and detailed disclosures on Packet Storm and ERPScan indicate that proof-of-concept attacks have been available since the February 2016 publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-3470
Vulnerability details
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.
- CWE(s)
- KEV Date Added
- 09 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the UDDI interface, blocking the unsanitized vectors that enable arbitrary SQL execution.
Mandates timely application of the SAP Security Note 2101079 patch that eliminates the CWE-89 flaw.
Boundary-protection mechanisms (e.g., WAF rules) can inspect and drop SQL-injection payloads before they reach the vulnerable J2EE UDDI endpoint.