Hot news notes 3267780 and 3273480 patch critical broken authentication vulnerabilities in SAP NetWeaver Application Server Java (AS Java). Threat actors can exploit the vulnerabilities to attach to an open interface exposed through JNDI by the Messaging System and User Defined Search (UDS) of SAP NetWeaver AS Java. Once attached, they can make use of an open naming and directory API to access services and read and modify sensitive information, execute SQL commands, and perform a denial of service. There are no workarounds for the vulnerabilities. The notes apply access control for the interface. After the implementation of the correction, full access to the interface will require UME role SAP_XI_ADMINISTRATOR_J2EE. Read and write access will require roles SAP_XI_CONFIGURATOR_J2EE and SAP_XI_DEVELOPER_J2EE. Read-only access can be provided using role NWA_READONLY.
Note 3239475 deals with a critical Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability enables attackers with non-administrative privileges to upload/replace any file in the operating system of the Business Objects server, thereby taking full control of the system. Both the Central Management Console (CMC) and BI Launchpad (BILP) on BOBJ 4.2 and 4.3 are impacted.
Hot news note 3271523 patches a remote code execution vulnerability associated with Apache Commons Text in SAP Commerce, an open-source Java library that performs variable interpolation. Versions 1.5 – 1.9 of Apache Commons Text include interpolators that can be used to execute arbitrary code or connect with remote servers. The library should be updated to 1.10 to disable the vulnerable interpolators. Note 3271523 includes instructions for locating and updating the affected .jar files manually.
Earlier this month, Layer Seven Security released the new whitepaper Securing the Journey to SAP S/4HANA: A Security Framework for S/4HANA Migrations. The whitepaper provides a comprehensive guide to S/4HANA security to support the transition from SAP ERP to S/4HANA.
Mainstream maintenance for ERP will end in December 2027. Therefore, organizations must migrate to S/4HANA by the beginning of 2028. To date, only one third of organizations have migrated to S/4HANA. Therefore, the majority of SAP customers will be migrating over the next five years.
Security is one of the largest roadblocks to successful migrations. This is due to significant differences between ERP and S/4HANA that require the restructuring of access and technical controls. It is also due to concerns related to cloud security since almost 70% of organizations are electing to migrate to cloud-based S/4HANA installations. Other security concerns arise from the migration of custom SAP programs from ERP to S/4HANA. These programs often contain hidden and unresolved security vulnerabilities since they were never subject to in depth code vulnerability analysis.
The whitepaper includes detailed recommendations across twelve domains to deal with these and other security concerns and facilitate the smooth transition to S/4HANA. The recommendations are aligned to best practices in the SAP S/4HANA Security Guide. The whitepaper also includes guidance for automating pre and post go-live security checks for S/4HANA migrations using SAP Solution Manager and the Cybersecurity Extension for SAP.
Hot news note 3243924 for CVE-2022-41203 patches a critical vulnerability related to insecure deserialization of untrusted data in the Central Management Console (CMC) and BI Launchpad of SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability impacts versions 4.2 and 4.3 of BOBJ and can be exploited by threat actors to bypass authentication, inject malicious code, or provoke a denial of service. As a workaround, customers can first backup and then delete the files in the following folders of the Tomcat directory:
The workaround disables the selection of the format in the creation of a Publication or a Schedule. It will cause a HTTP 404 page in the Format area when trying to schedule a document. This impacts the CMC only. There is no impact on the BI Launchpad.
Note 3256571 for CVE-2022-41214 addresses multiple high-risk directory traversal vulnerabilities in NetWeaver Application Server ABAP (AS ABAP). The vulnerability is caused by insufficient path validation that enables attackers to access remote-enabled function modules to read and delete restricted files in AS ABAP.
Note 3249990 deals with denial of service vulnerabilities in SQlite bundled with SAPUI5 that can be triggered by array-bounds overflow.
SAP systems consist of multiple integrated technological layers. SAP solutions comprise the application layer. The application layer is supported by database and operating system layers. The layers are closely integrated to form a software ecosystem linked through several connections including trust relationships that bond the layers to form an SAP system. The layers are more tightly integrated in SAP HANA installations where application, database and OS functions can share physical resources.
Since SAP systems are comprised of multiple layers, security must be applied across all layers within a system. Threat actors can bypass secure SAP applications by targeting weaknesses at the database or OS level to compromise SAP systems. Ransomware, for example, can lead to a denial-of-service for SAP services by exploiting vulnerable operating systems. Application-level data protection mechanisms can be bypassed by exfiltrating data in SAP solutions directly from the database.
The need to secure databases and operating systems in SAP systems is more pressing when SAP applications are coupled with Microsoft platforms that are widely targeted by threat actors and suffer from a host of known vulnerabilities and exploits. The Cybersecurity Extension for SAP is the only security solution that secures all layers within SAP systems including databases and operating systems.
Together with over 2000 vulnerability checks for SAP solutions, the Cybersecurity Extension for SAP performs automated vulnerability scans for Microsoft SQL Server and Microsoft Server to detect more than 300 known security weaknesses in the platforms. This includes active vulnerable services that widen the attack surface for databases and hosts, authentication settings including password policies, file and table encryption, users with administrative privileges including system and user administration, the availability of standard users, logging and auditing, open ports and services, and host firewall settings.
The Cybersecurity Extension for SAP also monitors database and operating logs to detect indicators of compromise in Microsoft platforms and trigger alerts and email/ SMS notifications for security incidents. This includes system, role and user changes, direct access to user tables, changes to database schemas, user groups, scheduled tasks, stored procedures, passwords and firewall settings, failed logons including attempted remote logons, packets blocked by host firewalls, remote procedure calls, service activation, device and program installation, and changes to system auditing.
Hot news note 3239152 patches a critical URL redirection vulnerability in SAP Commerce Cloud. The vulnerability can be exploited to manipulate URLs and redirect users to logon pages controlled by threat actors. User submissions served by attacker-controlled servers can be used to steal logon credentials and hijack accounts. Note 3239152 includes a fix for specific versions of SAP Commerce Cloud. Workarounds are also detailed in the note if the patches cannot be applied. This includes removing the OAuth extension and URL filtering. The latter can be implemented using website redirects in SAP Commerce. However, there are known side-effects with the workarounds. For example, the OAuth extension is required by SmartEdit Module, Assisted Service Module, and other extensions. OAuth may also be required for integrations.
Note 3242933 provides a fix for critical directory traversal vulnerability in SAP Manufacturing Execution that could lead to information disclosure. The effected plugins are Work Instruction Viewer (WI500) and Visual Test and Repair (MODEL_VIEWER).
Note 3229132 patches an information disclosure vulnerability in Program Objects within SAP BusinessObjects Business Intelligence Platform that could be exploited to compromise OS credentials. The credentials are exposed in clear-text to administrators.
Note 3232021 deals with a buffer overflow vulnerability in SAP SQL Anywhere and SAP IQ that can be used to trigger a denial of service in database servers.
Notes 3245929 and 3245928 patch multiple high-risk vulnerabilities in SAP Visual Enterprise Viewer.
Maintaining an accurate and complete inventory of SAP systems is an important requirement for cybersecurity. It enables organizations to assess and prioritize risk management, ensure systems are not accidentally overlooked and exposed to threats, plan and track maintenance activities such as upgrades to apply security patches, and recover rapidly from security incidents including data breaches and successful ransomware attacks. For this reason, compliance frameworks such as CIS, NIST and PCI-DSS include requirements for asset management. The requirement is also the subject of the new bill Strengthening Agency Management and Oversight of Software Assets Act approved by the U.S Senate Homeland Security and Governmental Affairs Committee in September.
In many organizations, SAP asset inventories are maintained in spreadsheets or asset management tools that require manual updating. This can lead to inaccuracies if these approaches fail to keep pace with changes in complex and evolving SAP landscapes. Landscape Management in SAP Solution Manager provides an automated solution for managing system inventories by discovering and mapping SAP assets and automatically updating system information. Landscape Management is included in the standard usage rights for Solution Manager.
System information is sourced by Landscape Management from the System Landscape Directory (SLD). The SLD is the central repository of system information required for SAP lifecycle management. SAP landscapes may have multiple SLDs for backup or to support different environments, but the supplier for Landscape Management is the central SLD. The SLD includes a software catalog for each system known as CR Content. It also includes a Common Information Model (CIM) for sharing hardware and software information. CR and CIM data is automatically synched from the SLD with Landscape Management via SAP agents. The data can also be automatically or manually imported into Solution Manager in landscapes that do not have an SLD. The data is then synched from Landscape Management with the Maintenance Planner in the SAP Support Portal. This is one of the primary reasons why SAP Solution Manager is required in SAP landscapes even if customers are not actively using any SolMan scenarios.
Landscape Management is accessed from the SAP Solution Manager Administration workgroup in the Fiori Launchpad.
System information is categorized by application server, database, host and component areas. For technical systems, you can select a system from the selection screen and click on Display to display the full system information.
The initial screen summarizes the key attributes for the system such as the SID, database, installation number, release information and SAP products installed in the system. This section also includes the environment, location and lifecycle status. The priority of the system can be used to classify systems based on their business importance using a low to very high rating scale.
The tabs for Technical Scenarios, SAP Support Portal, Business Partners, and Installed Licenses detail the active SolMan scenarios for the system, the system number, key personnel including system owners, business contacts, architects, and technical support with email addresses and telephone numbers, and license information.
The Software section lists the installed software components including version and support pack level. This information is used by SAP Solution Manager during the calculation of relevant notes including security notes.
The Database, Instances and Clients section include information such as the database type, release and host name, instance names, numbers and directories, and active clients and roles.
The Hosts section will include host-level information such as the host name, FQDN, IP address, OS type and version, CPU, and details of whether the host is physical, logical or virtual.
The Destinations section lists the active RFC destinations in the system by client.
Finally, the Component Groups section details the logical component groups for the system. This is often used to group systems based on their role. The system roles below are predefined by SAP. However, users can create and maintain custom component groups to cluster systems by business group, function, location, or other areas.
Note 3237075 patches a high priority vulnerability in SAP GRC Access Control that could be exploited by attackers to access Firefighter sessions even after they are closed in the Firefighter Logon Pad. Firefighter IDs are dedicated user identities with elevated privileges that are activated when required and controlled through Emergency Access Management (EAM) in SAP GRC. Note 3237075 provides a patch to detect active Firefighter sessions using SM04 and SM05 information. To properly retrieve the SM05 data, the GRC RFC user will require authorization object S_ADMI_FCD with value PADM. According to SAP, the implementation of the correction will lead to a slight degradation in performance due to the additional time required for the SM04 check during logon. This only affects the central system.
Note 3213507 resolves a privilege escalation and information disclosure vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) that could lead to the retrieval and modification of sensitive system data from the Central Management Server (CMS) and Monitoring DB. Note 3217303 patches a similar vulnerability in the BOBJ Central Management Console (CMC).
Notes 3223392 and 3226411 deal with high-risk privilege escalation vulnerabilities in SAP Business One and SAP SuccessFactors, respectively. The vulnerabilities can be exploited to gain system privileges.
Finally, note 2998510 was updated to clarify that sysmon is not the only OS application that can be exploited to compromise authentication credentials for the CMS in BOBJ. Also, the vulnerability impacts BOBJ installations operating from both Linux/ Unix and Windows platforms.
SAPUI5 is the foundation of Fiori applications in SAP solutions such as SAP HANA and S/4HANA. It provides a HTML5 framework for developing flexible and user-friendly applications that perform consistently across all browsers, platforms, and devices, and integrate with ABAP programs using APIs such as OData services.
The SAPUI5 library is based on the jQuery JavaScript library. Therefore, although SAP Web IDE is recommended by SAP, UI5 applications can be developed using any development environment that supports JavaScript development. SAPUI5 applications generate their own JavaScript code and handle HTML rendering. Consequently, the applications are more susceptible to code-level vulnerabilities than Web Dynpro applications that use an abstract programming model. Application developers should ensure custom SAPUI5 applications meet stringent security standards during all phases of the development lifecycle. Custom applications are part of the attack surface for SAP systems and vulnerable applications are often targeted by threat actors to compromise SAP solutions. Since custom applications are not maintained by SAP and not patched by SAP security notes, customers are directly responsible for ensuring custom applications are secure and protected against misuse.
Automatic static source code scanning is a proven method to effectively and efficiently detect software vulnerabilities in custom applications during and after development. In addition to static code scanning for over 100 vulnerabilities in custom ABAP programs, the Cybersecurity Extension for SAP (CES) supports the automatic detection of more than 900 vulnerabilities in custom SAPUI5 applications. This includes vulnerabilities such as code injection, SQL injection, cross-site scripting, directory traversal, and missing or insufficient authentication or authorization checks. CES enables SAP customers to securely develop and deploy custom SAPUI5 applications to support the needs of end-users, in accordance with best practices for secure coding.
CES provides detailed information for vulnerabilities detected in custom SAPUI5 applications, including risk analysis, remediation guidance, and details of the impacted lines of code, objects, packages and owners. Findings are also mapped to the Common Weakness Enumeration (CWE) framework to monitor for compliance against coding best practices. CWE is software development standard supported by US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security. The results of static code scan results for custom SAPUI5 applications can be reviewed and managed using SAP Code Inspector (SCI) and exported as Excel/ PDF reports. The results are also integrated with the Vulnerability Report in CES, accessed from the Fiori launchpad for SAP Solution Manager.
Note 3102769 was rereleased in August with updated solution information. The workaround detailed in the original note has been moved to the new note 3221696. The workaround provides steps for deactivating the SAP IKS component to address a high priority cross-site scripting (XSS) vulnerability in SAP Knowledge Warehouse.
Note 3150454 was also updated to enforce authorization checks in lower SP levels of SAP NetWeaver Application Server ABAP when RFC destinations are modified using transaction SM59.
Note 3210823 addresses an information disclosure vulnerability in Open Document within SAP BusinessObjects Business Intelligence Platform (BOBJ). Open Document is a web application that processes incoming URL requests for documents and other objects. The vulnerability can be exploited by unauthenticated attackers to retrieve sensitive information over the network. The impacted versions of BOBJ are 4.2 SP009 and 4.3 SP002 – SP003.
Notes 3213524 and 3213507 patch lower-priority information disclosure vulnerabilities in the commentary and monitoring databases of SAP BOBJ that could lead to the exposure of sensitive system data. The vulnerabilities require network access for successful exploitation.
According to Gartner research, 70 percent of SAP customers have yet to migrate to S/4HANA. Based on current rates of adoption, SAP is unlikely to achieve its goal of migrating ECC customers to S/4HANA by 2027. As a result, the majority of SAP solutions continue to be driven by conventional databases. One of the most common database platforms for SAP is Oracle.
Oracle databases including several important security features to protect data at rest and in transit. This includes network encryption for securing communications between application and database servers, transparent database encryption for encrypting database tables, columns or complete tablespaces, granular access control using Database Vault, and Unified Auditing to support advanced policy-based logging. However, poorly configured Oracle databases can provide a vulnerable target for attackers to access and compromise data in SAP systems, bypassing application-level security and detection.
This article details best practices for securing Oracle databases against common vulnerabilities and exploits to protect against SAP attacks targeted at the database layer.
One of the most important steps is disabling the OPS$ mechanism in Oracle. In earlier versions of Oracle, the password for the SAP database user was retrieved from Oracle tables via an operating system user. The user was able to logon to the database via a shell prompt using credentials maintained at the OS level. The OPS$ mechanism enables threat actors to logon remotely to Oracle using locally-created users with the same IDs as OS users that are authenticated externally. This was deprecated from Oracle 11g. The encrypted password for the SAP database user is now stored in the Secure Storage File System (SSFS). The OPS$ mechanism is disabled using the value FALSE for the database parameter REMOTE_OS_AUTHENT.
Other important parameters include 07_DICTIONARY_ACCESSIBILITY to limit access to objects in the system SYS schema, global_names for blocking database connections from unauthorized domains, remote_login_passwordfile for preventing the use of password files to authenticate users, and options for enforcing robust password policies for database users including password complexity and expiration.
There are several standard users that are enabled in Oracle databases when a new database is created. The default passwords for the users should be changed after the install. Refer to the Oracle Help Center for the full list of standard users.
Users in the PUBLIC group should not be able to execute sensitive packages such as UTL_ORAMTS, UTL_HTTP and HTTPURITYPE. These packages can be used to send data to external destinations. All database users are members of the PUBLIC group.
The WITH_ADMIN privilege should not be included in permissions and roles granted to users, except for Oracle-maintained users. Users with the privilege can grant the permissions and roles to other users.
Critical system and table privileges should be restricted to authorized users only. This includes ALTER SYSTEM, GRANT ANY PRIVILEGE and BECOME USER. The last privilege enables users to inherit the privileges of other users.
Auditing should be enabled for specific database events. Examples include role and user changes, profile changes, database links, granting object and system privileges, changes to stored procedures, and schema triggers. Logging of successful and unsuccessful attempts to alter the audit trail in the SYS.AUD$ table is also recommended.
The Cybersecurity Extension for SAP (CES) performs comprehensive vulnerability scans for Oracle databases supporting SAP applications. The SAP-certified add-on automatically detects Oracle vulnerabilities including insecure authentication mechanisms, database misconfigurations, standard users with default passwords, users with critical roles and privileges, and incomplete audit policies.
CES also monitors Oracle database logs to detect and alert for security incidents and potential data breaches. CES is the only solution that secures the entire SAP stack including application, database and host layers. For host monitoring, CES also supports vulnerability management and threat detection for Oracle Linux operating systems, as well as other Linux variants including Red Hat Enterprise Linux (RHEL) and SUSE Enterprise Linux Server (SLES). In next month’s blog, we will discuss security and monitoring for Microsoft platforms supporting SAP systems, including SQL Server and Windows Server. Coverage for both platforms is included in the Cybersecurity Extension for SAP.
