SAP Security Notes, December 2022
Hot news notes 3267780 and 3273480 patch critical broken authentication vulnerabilities in SAP NetWeaver Application Server Java (AS Java). Threat actors can exploit the vulnerabilities to attach to an open interface exposed through JNDI by the Messaging System and User Defined Search (UDS) of SAP NetWeaver AS Java. Once attached, they can make use of an open naming and directory API to access services and read and modify sensitive information, execute SQL commands, and perform a denial of service. There are no workarounds for the vulnerabilities. The notes apply access control for the interface. After the implementation of the correction, full access to the interface will require UME role SAP_XI_ADMINISTRATOR_J2EE. Read and write access will require roles SAP_XI_CONFIGURATOR_J2EE and SAP_XI_DEVELOPER_J2EE. Read-only access can be provided using role NWA_READONLY.
Note 3239475 deals with a critical Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability enables attackers with non-administrative privileges to upload/replace any file in the operating system of the Business Objects server, thereby taking full control of the system. Both the Central Management Console (CMC) and BI Launchpad (BILP) on BOBJ 4.2 and 4.3 are impacted.
Hot news note 3271523 patches a remote code execution vulnerability associated with Apache Commons Text in SAP Commerce, an open-source Java library that performs variable interpolation. Versions 1.5 – 1.9 of Apache Commons Text include interpolators that can be used to execute arbitrary code or connect with remote servers. The library should be updated to 1.10 to disable the vulnerable interpolators. Note 3271523 includes instructions for locating and updating the affected .jar files manually.