3393635 - WSDL Files publicly disclosed in AS Java

Symptom

Executed vulnerability assessment/scan then identify WSDL file can be accessed without asking for user/password, such as WSDL file:
http<s>://<hostname>:<port>/CAFDataService/Config?wsdl=binding
http<s>://<hostname>:<port>/AdobeDocumentServices/Config?wsdl

Environment

SAP NetWeaver 7.2x onwards version

Product

SAP NetWeaver 7.2 ; SAP NetWeaver 7.3 ; SAP NetWeaver 7.4 ; SAP NetWeaver 7.5

Keywords

j2ee engine, va, avoid exposing sensitive data, wsdl.security, Web Services Container, java web service , KBA , BC-ESI-WS-JAV-CFG , Configuration , BC-JAS-SEC , Security, User Management , BC-ESI-WS-JAV-RT , Runtime , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.