Hot news note 3305369 patches missing authentication check and code injection vulnerabilities in the SAP Diagnostics Agent. The note removes the EventLogServiceCollector and OSCommand Bridge components from the Agent to address the vulnerability. The patch does not effect metric data collection for data collectors that use the Agent. However, it will disable metric testing.
Hot news note 3294595 addresses a critical directory traversal vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) that could be exploited to overwrite system files and trigger a denial of service, interrupting the availability of systems. Note 1512430 provides an alternative approach for removing the vulnerability. The note blocks report RSPOXDEV and RSPOXOMS from overwriting files in AS ABAP. The corrections require assigning a physical path to the logical path RSPO_FILE_LOCATION delivered with the note using transaction FILE.
Note 3298961 fixes an information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (BOBJ). Exploitation of the vulnerability could enable threat actors to discover the password of the BI user by accessing and decrypting the lcmbiar file. Password protection for the file can be applied as a workaround if the patch in the note cannot be applied.
Finally, note 3305907 addresses a high-priority directory traversal vulnerability that could enable attackers to upload and overwrite files in the BI Content Add-on for AS ABAP through a vulnerable report that does not apply sufficient authentication checks and file validation. The correction included in the note removes the ability to upload files through the vulnerable report.
The new release of the Cybersecurity Extension for SAP (CES) is scheduled for general availability on April 24. It includes several important enhancements, configuration checks and patterns for threat detection to further protect SAP solutions from advanced cyber threats.
The prior release of the CES provided capabilities for SAP customers to automatically discover and remove false positive security notes calculated by System Recommendations (SysRec) in SAP Solution Manager. This improved the quality and reliability of results in SysRec and reduced the manual effort required by SAP administrators to analyze security patches. The new release of CES extends the enhancements for SysRec by including CVE, CVSS and vector information for calculated security notes.
The new release also includes configuration checks for protection against directory traversal in ABAP systems. The checks review path validation for files with no defined physical paths and the definition of physical file paths for logical paths. Checks are also applied for settings in SAP Virus Scan Interface (VSI) profiles and supported MIME types. SAP VSI integrates with scanning engines to discover and block malware in file uploads and downloads from SAP solutions.
The new release includes extended checks for Unified Connectivity (UCON) including HTTP whitelists for protection against clickjacking attacks and relevant background jobs. It also includes extended checks for Read Access Logging including log domains, groups and fields. In addition, checks for the masking and encryption of payment card data are included in the new release.
There are over 210 checks for critical transactions in S/4HANA included in the release. Future releases will rollout authorization checks for solutions such as S/4HANA, ECC, BW/4HANA, BW, CRM. The checks will enable customers to use the Cybersecurity Extension for SAP to monitor critical access and segregation of duties in lieu of SAP Governance, Risk & Compliance (GRC), given the scheduled end of maintenance of GRC.
There are several new checks for code vulnerabilities in custom SAP programs. This includes checks for XSRF protection and the forceEncode attribute.
New patterns for detecting Indicators of Compromise (IOCs) in SAP solutions include successful and unsuccessful program installations, uninstallations and changes in Microsoft Server platforms for SAP. Similar patterns were included in earlier versions of CES for Linux platforms to support the detection of potential ransomware attacks.
IOCs are also included for the detection of changes to specific security-relevant parameters in SAP ABAP and HANA systems.
A new security framework has been added to CES for S/4HANA. The framework will enable customers to automatically check the compliance of S/4HANA systems with SAP requirements in the Security Guide for S/4HANA.
The new release of CES deprecates custom infocubes and process chains used in earlier versions. This dramatically improves the stability and performance of CES and the ability of the solution to rapidly process large data sets with minimal resources.
Security alerts for multiple hosts can be mapped to specific SAP System IDs in the new release. Also, filters for security alerts include a new field to support searching of security alerts based on time ranges using the format HH:MM:SS for start and end times.
Finally, vulnerability details now include tables containing the complete fields and values from source CCDB stores. The tables support data filtering and export.
The next release of the Cybersecurity Extension for SAP is scheduled for June 2023 and will include support for detecting IOCs in logs for SAP ASE databases, vulnerability and event correlation, and trend analysis for tracking changes in vulnerabilities, patches and alerts for periods covering up to two years.
Hot news note 3273480 was updated in March for SP026 of NetWeaver Application Server Java (AS Java) 7.50. The note deals with a critical SQL injection vulnerability that can be exploited by unauthenticated attackers that attach to an open interface exposed through JNDI by User Defined Search (UDS) of AS Java. The fix included in the note applies authorization checks to mitigate the vulnerability. The authorizations are assigned to the roles SAP_XI_ADMINISTRATOR_J2EE, SAP_XI_CONFIGURATOR_J2EE, SAP_XI_DEVELOPER_J2EE and NWA_READONLY.
Note 3252433 patches a broken authentication vulnerability impacting the LockingService in AS Java. The note removes public access and applies the required authentication and authorization checks for the service.
Hot news notes 3245526 and 3283438 address high-risk vulnerabilities in SAP BusinessObjects Business Intelligence (BOBJ). Note 3245526 fixes a code injection vulnerability in the Central Management Console (CMC). The note removes the ‘Use Impersonation’ option from the CMC and introduces authorization checks for scheduling program objects. Note 3283438 fixes an OS command execution vulnerability in the Adaptive Job Server. Workarounds are detailed in the note including unchecking the options Run scripts/binaries and Run Java programs in the CMC, and disabling the rexecd service.
Notes 3294595 and 3302162 patch directory traversal vulnerabilities in NetWeaver Application Server ABAP (AS ABAP). The vulnerabilities can be exploited to overwrite system files and trigger a denial of service.
SAP Focused Run supports real-time monitoring for high-volume SAP landscapes and customers with advanced requirements for system management, user and integration monitoring, and vulnerability management. Configuration and Security Analytics (CSA) in SAP Focused Run applies security policies to discover vulnerabilities in SAP systems. The policies read the contents of configuration, software and user-related stores in the Configuration and Change Database (CCDB). The CCDB stores are refreshed daily using the Simple Diagnostics Agent (SDA), installed in SAP systems monitored by Focused Run.
This article explores capabilities in CSA for tuning security checks using exclusions, configuring alerts for critical vulnerabilities, and investigating security-related changes reported by CSA.
Exclusions can be applied to exclude specific checks in security policies. In the example below, we have applied an exclusion to exclude a check that validates the status of the standard DDIC user. The first step is to open to CSA in the Advanced Configuration Monitoring workgroup.
The next step is to select the relevant policy and select Exemption for Policies.
Select Create to add the exemption. Select the Check ID based on the available checks in the policy and add an Exception ID and Description.
You can add a date range if the exclusion is temporary and should be automatically removed after a target date. Once saved, the check will be excluded from the policy. Exemptions can be maintained and deleted after they are applied.
Alerts for systems that fail checks in security policies can be configured using Configuration Validation Alert Management.
Select Create and add an Alert ID and Description. The Alert Source should be set to Configuration Validation – Policy. Select the Policy and maintain options for Aggregation Level, Scope, Frequency and Severity. Select ON and click on Save to activate the alert.
Alerts can be configured for specific systems or groups based on Customer ID, Data Center, IT Admin Role, Lifecyle Status, or Networks.
IT Admin Role can be used to apply alerts for systems based on environments.
Email and SMS options for alert notifications can be maintained using Outbound Variants.
Alerts can be investigated and managed using Alert Management. In the example below, we can see the alert configured in CSA for changes to standard users. Alerts in Alert Management be integrated with SIEM and service desk solutions. For detailed information, refer to the SAP Help Portal.
Changes in SAP systems are captured and logged in CSA. This includes areas such as parameter settings, RFC destinations, ICF services, and user authorizations, profiles, roles, and transactions. The details of the changes can be viewed using the option to display change of configuration items. Select a time frame for changes using Time Frame Selection.
You can also maintain a custom time frame.
Select a system to view to view a summary of the changes.
Select a store to view the details of changes. In the example below, we can see the details of users that were assigned the SAP_ALL profile in a system over the last three months.
The details can be filtered, sorted and exported to Excel.
The Cybersecurity Extension for SAP integrates with CSA in Focused Run to apply thousands of security checks for known vulnerabilities in SAP solutions. It also integrates with System Monitoring in Focused Run to detect and alert for more than 600 indicators of compromise in SAP event logs. To learn how you can protect your SAP systems from cyber threats using the Cybersecurity Extension for SAP, contact Layer Seven Security.
Hot news note 3273480 was updated in February for a critical vulnerability that could enable attackers to compromise installations of NetWeaver Application Server Java (AS Java) via an open JNDI interface exposed through User Defined Search (UDS). The updates include corrections for side effects caused by the original fix for the vulnerability that implemented authorization checks for affected public methods. Note 3301366 corrects side effects for alerting and monitoring after implementing note 3273480. Note 3284781 provides instructions to correct side effects observed for specific services used by Process Integration (PI).
Note 3285757 recommends upgrading the SAP Host Agent to the latest version 7.22 PL59 in order to patch a high priority privilege escalation vulnerability. Attackers can exploit the vulnerability to execute operating system commands using administrative privileges through webservice requests.
Note 3256787 includes a fix for an unrestricted file upload vulnerability in SAP BusinessObjects Business Intelligence (BOBJ). The note also includes instructions for a workaround that involves applying a whitelist for file format types using the property upload.file.allowed.formats in the global.properties file.
Other important notes include 3263135 and 3271091 for information disclosure and privilege escalation vulnerabilities in BOBJ and SAP Business Planning and Consolidation (BPC), respectively.
Maintenance Planner is a cloud solution from SAP that supports the planning and administration of systems in SAP landscapes. It is the successor to Maintenance Optimizer and Landscape Planner and consolidates and simplifies tasks such as system installation, updates, upgrades and conversions.
Maintenance Planner is hosted on the SAP Support Portal. It maintains an inventory of SAP systems in customer landscapes. The inventory can be viewed using the Explore Systems tile.
Landscapes can also be analyzed using graphical topologies in Hybrid Landscape Visualization.
Explore Systems provides detailed software information for each system such as product versions, components and stack levels, as well as tracks and dependencies. Tracks are used to group related systems and streamline maintenance.
Maintenance Planner identifies products that are out of maintenance, third-party add-ons installed in SAP systems, and inconsistencies between displayed software components and installed components in systems. The software information is sourced by Maintenance Planner directly from the Landscape Management Landscape Database (LMDB) in SAP Solution Manager. The information is synchronized with the LMDB every day via the SAP-OSS connection between Solution Manager and SAP Support.
Upgrade Dependency Analyzer (UDA) is integrated with Maintenance Planner to help identify the impact of maintenance tasks in dependant systems. Maintenance Planner identifies and downloads the required software packages for planned upgrades or new systems. It also supports conversion tasks for migration from SAP ERP to S/4HANA. Finally, Maintenance Planner includes guided workflows to discover and integrate SAP cloud solutions.
Maintenance Planner calculates and displays recommended notes for systems in each landscape. The notes are analyzed and managed using the View Recommended Notes tile. It supports searching, filtering, grouping, sorting, and exporting of results. The Calculate Notes option displays relevant notes for selected systems. Notes are grouped by category including Security, Hot News, Performance and Legal Change. You can select a note from the available categories to view the details. CVE, CVSS and vector information is provided for SAP Security Notes.
Maintenance Planner can track the implementation lifecycle of notes using the Processing Status option. The following values are supported for the option:
Transferring: Note is transferred for implementation In Progress: Note implementation is in progress Not Relevant: Invalid or irrelevant note for the system
A Comments field is also included for users to provide additional information related to the implementation status of each note.
Maintenance Planner provides an alternative to System Recommendations for discovering and managing required notes in SAP systems. However, unlike System Recommendations, Maintenance Planner does not identify SAP HANA, Web Dispatcher and platform-related notes. Also, it does not integrate with Change Request Management (ChaRM), Usage and Procedure Logging (UPL), ABAP Call Monitor (SCMON), and Solution Documentation for the full lifecycle management of notes and automated change impact analysis to support test planning.
Hot news note 3089413 patches a critical capture-replay vulnerability that can lead to authentication bypass in SAP NetWeaver Application Server ABAP (AS ABAP). The vulnerability is caused by the failure to use unique hashes for system identification. Note 3089413 includes corrections for the SAP kernel and the SAP Basis component. The corrections must be applied in both trusting and trusted systems.
Hot news note 3268093 deals with a broken authentication vulnerability in SAP NetWeaver Application Server Java (AS Java). An unauthenticated attacker can attach to an open interface and exploit an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data. This could allow the attacker to gain full read access to user data, modify data and disrupt the availability of services within the system. The correction removes public access to basicadmin and adminadapter services and introduces authentication and authorization for the relevant objects. The required permissions are automatically assigned to the Administrator, NWA_SUPERADMIN, and NWA_READONLY roles by the corrections.
Note 3243924 patches a high-risk insecure deserialization of untrusted data vulnerability in SAP BusinessObjects Business Intelligence (BOBJ). Authenticated attackers with minimal privileges can intercept and modify serialized objects in the Central Management Console and BI LaunchPad of BOBJ. Note 3243924 restricts deserialization to specific internal classes. The note also includes instructions for a workaround that involves removing the vulnerable code in specific files.
Other important notes include 3262810 and 3275391 for code injection and SQL injection vulnerabilities in the Analysis Edition for OLAP in BOBJ and SAP Business Planning and Consolidation, respectively.
SAP Focused Run provides real-time application monitoring, alerting and analytics for large-scale SAP landscapes and hosting providers. It leverages SAP HANA to support centralized monitoring for up to thousands of systems in high-volume environments. Focused Run is intended to complement Solution Manager in SAP landscapes by substituting configuration, integration, system, and user monitoring scenarios from SolMan. Solution Manager is required for all other scenarios including change management, patch management, custom code management, business process monitoring, service management, and test management.
This article explores the alerting capabilities of SAP Focused Run using the workgroups Advanced System Management and Advanced Event & Alert Management.
Similar to SAP Solution Manager, Focused Run includes preconfigured monitoring templates and data providers for SAP platforms and solutions including ABAP, HANA, and Java. It also includes database and host templates for monitoring SAP infrastructure. The standard metrics and alerts within the SAP-delivered templates include content for monitoring the availability and performance of SAP applications, components, agents, interfaces and infrastructure.
The Cybersecurity Extension for SAP extends the coverage of SAP Focused Run to include security monitoring. The SAP-certified addon provides more than 500 metrics and alerts for detecting indicators of compromise in SAP logs. This includes ABAP logs such as the Security Audit Log, Gateway Server Log, HTTP Log, System Log, Transaction Log, Read Access Log, and Change Documents. It also includes support for the Audit Log in HANA platforms. The current version of the Cybersecurity Extension for SAP supports ABAP and HANA platforms. Future releases are expected to support Java systems and operating system logs in Linux hosts.
Alerts can be accessed using Alert Management in the Advanced Event & Alert Management workgroup.
Focused Run supports the grouping of systems into Customer IDs. This can be used to segment results for business units. Alert Management will summarize the results for the Customer IDs selected during the initial selection screen.
You can select the list view to display the current alerts.
You can open and view the details of alerts in the list. The example below is an alert triggered in a managed system for changes performed for the roles assigned to the standard SAP* user.
The Metrics tab includes information related to underlying event including the event timestamp, source IP, target IP, and user information. This information can be automatically integrated with Security Information Event Management (SIEM) systems. Notifications can be also sent for alerts through email or SMS using the Send Notification option in the Actions menu.
Alert Reporting in Alert Management provides a dashboard for monitoring alerts by date, category and systems.
Alerts can be also managed using System Monitoring in the Advanced System Management workgroup.
System Monitoring includes an Alert Ticker in the right pane that displays the latest alerts in real time.
The application also includes a hierarchal view for displaying alerts by managed object type including systems, application servers, instances, databases and hosts.
The Cybersecurity Extension for SAP provides an alternative to SAP Code Vulnerability Analyzer (CVA) for SAP vulnerability management, threat detection, and custom code security. The Cybersecurity Extension for SAP is developed by Layer Seven Security. Layer7 is an SAP partner and competitor of SAP CVA. This guide will help you plan for the transition from SAP CVA to the Cybersecurity Extension for SAP. Once you have transitioned from SAP CVA, you can remove the SAP CVA consoles and sensors from your SAP landscape, as well as the SAP CVA users and addons in your SAP systems.
Unlike SAP CVA, the Cybersecurity Extension for SAP is an addon for SAP Solution Manager. Solution Manager is a monitoring and diagnostics platform widely used by SAP customers for application lifecycle management. Over 12,000 SAP customers worldwide are actively using Solution Manager to manage their SAP systems. Usage rights for Solution Manager are included in SAP support.
The Cybersecurity Extension for SAP requires the standard setup of Solution Manager. This guide will help you review your Solution Manager setup and prepare your platform to ensure a smooth transition from SAP CVA to the Cybersecurity Extension for SAP.
Check central system
The Cybersecurity Extension for SAP applies code vulnerability checks using the ABAP Test Cockpit (ATC). A central check system is recommended for the ATC. The central system performs code analysis for remote systems. Please refer to the SAP guidelines for configuring a central system for your landscape. The latest version of the SAP Basis component is recommended for the central system to analyze custom code in systems with lower versions.
The Cybersecurity Extension for SAP provides an alternative to SAP Code Vulnerability Analyzer (CVA) for SAP vulnerability management, threat detection, and custom code security. The Cybersecurity Extension for SAP is developed by Layer Seven Security. Layer7 is an SAP partner and competitor of SAP CVA. This guide will help you plan for the transition from SAP CVA to the Cybersecurity Extension for SAP. Once you have transitioned from SAP CVA, you can remove the SAP CVA consoles and sensors from your SAP landscape, as well as the SAP CVA users and addons in your SAP systems.
Unlike SAP CVA, the Cybersecurity Extension for SAP is an addon for SAP Solution Manager. Solution Manager is a monitoring and diagnostics platform widely used by SAP customers for application lifecycle management. Over 12,000 SAP customers worldwide are actively using Solution Manager to manage their SAP systems. Usage rights for Solution Manager are included in SAP support.
The Cybersecurity Extension for SAP requires the standard setup of Solution Manager. This guide will help you review your Solution Manager setup and prepare your platform to ensure a smooth transition from SAP CVA to the Cybersecurity Extension for SAP.
Check target system software versions
The Cybersecurity Extension for SAP supports monitoring for ABAP, HANA and Java systems, as well as the SAProuter and Web Dispatcher. Please confirm the target systems meet the minimum requirements below. All versions of the SAProuter and Web Dispatcher are supported.
ABAP: SAP Basis 7.00, SP00 HANA: Version 1.0, SP08 Java: SAP NetWeaver 7.0 Enhancement Package 1 (7.01)
