CVE-2016-9563
Published: 23 November 2016
Summary
CVE-2016-9563 is a medium-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Sap Netweaver Application Server Java. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).
Deeper analysis
The vulnerability CVE-2016-9563 is an XML External Entity (XXE) flaw, tracked as CWE-611, that affects the BC-BMT-BPM-DSK component in SAP NetWeaver AS JAVA 7.5. It is reachable via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI and is addressed in SAP Security Note 2296909.
Remote authenticated users can exploit the issue over the network with low attack complexity and no user interaction required, achieving high confidentiality impact while leaving integrity and availability unaffected, as reflected in its CVSS 3.1 base score of 6.5.
References including SAP note 2296909, ErpScan advisory 16-034, and SecurityFocus BID 92419 document the vulnerability and point to associated remediation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-10369
Vulnerability details
BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of XML input to block external entity declarations and references that enable this XXE attack.
Enforces information flow rules that can prohibit the outbound resolution of external entities used by the vulnerable bpemuwlconn URI handler.
Enables monitoring of XML parser behavior and anomalous outbound connections that would indicate successful exploitation of CVE-2016-9563.