Author: Zarah

Note 2589129 addresses multiple high-risk vulnerabilities in HANA Extended Services Advanced (XSA) Server. XSA provides a development and runtime platform for HANA applications. XSA delivers improved reliability and scalability over HANA XS by providing separate runtime environments for applications. Applications operate in trust zones known as spaces. Applications deployed to the same space can share common resources such as data storage, user authorizations, and passwords. Permissions to manage spaces including domains and resources are granted through controller roles.

Note 2589129 recommends using HANA XSA patch level 1.0.70 in order to remove several authentication and authorization bypass vulnerabilities listed in the Note. This includes flaws in specific controller roles that could enable users to retrieve sensitive information. It also includes vulnerabilities that could enable unauthenticated or unauthorized users to read the system configuration using SQL statements and retrieve passwords from log files.

Note 2525222 includes automated corrections and manual instructions for high priority vulnerabilities in the SAP Internet Graphics Server (IGS). The vulnerabilities are caused by unrestricted file uploads that could be exploited to provoke a denial of service, perform cross-site scripting or log injection attacks, and leak sensitive data.

Lastly, Note 2565622 includes corrections to remove a broken authentication vulnerability that could enable attackers to access privileged  functions or read and modify sensitive data in the SAP NetWeaver System Landscape Directory (SLD). The SLD supports landscape management and stores destination information used for system interfaces and the NetWeaver Development Infrastructure (NWDI).

Note 2580634 provides instructions for removing a malicious file insertion vulnerability in the Process Control and Risk Management applications of SAP Governance, Risk and Compliance (GRC). The vulnerability could be exploited to upload malicious scripts or other forms of malware to SAP servers. The note includes manual instructions for implementing package GRFN_DOCUMENT_ WT_CHECK of the BAdI GRFN_DOCUMENT. This will activate a positive whitelist in table GRFNDOCUMENTWT to control permitted file extensions and mime types.

Note 2408073 provides updated instructions for the handling of digitally signed notes in the Note Assistant. Note 2518518 should be implemented before Note 2408073 to install new objects  required to support Notes with digital signatures. The Notes will update the Note Assistant tool to verify digital signatures using the SAPCAR utility. SAPCAR must version 7.20, patch level 2 or higher.  The Note Assistant tool will process ZIP files containing Notes downloaded from the SAP Support Portal and log the results of digital signature checks. Notes that fail the digital signature check will be logged in the Application Log (transaction SLG1) and read by the Notes Assistant using the authorization object S_APPL_LOG. For further information, refer to 2537133 – FAQ – Digitally Signed SAP Notes and the Digital Signature User Guide referenced in Note 2408073. Note 2507934 provides instructions for adjusting role SAP_BPO_CONFIG in SAP Solution Manager 7.2. The instructions restrict authorizations for table maintenance in the role to BPO-relevant tables belonging to the authorizataion groups SS, LMDB, PIMA, SA, IWAD, and SC.

SAP issued an important update for Hot News Note 2371726 originally released in November 2016. The note addresses a code injection vulnerability in Text Conversion which enables SAP standard text to be replaced by industry specific text. Function module BRAN_DIR_CREATE in Text Conversion enables an authenticated development user to inject operating system commands and execute these from the SAP system via that function. Developer rights through the S_DEVELOP authorization object are required for the successful execution of the exploit. Nonetheless, the note carries a CVSS score of 9.10/ 10 and rates high in terms of impact to data confidentiality, integrity and availability. The note includes corrections for SAP Basis versions 700 – 751 which restrict the range of supported special characters and the directory created by function module BRAN_DIR_ CREATE.

Note 2486657 patches a high-risk directory traversal vulnerability in the API Engine of AS Java which arises from insufficient path validation performed by the Servlet API for resource requests. This could lead attackers to read the content of arbitrary files on servers and expose sensitive data to corruption or deletion. The Note includes instructions for updating versions 7.10 – 7.50 of AS Java to the latest patch level including the vulnerable components ENGINEAPI, J2EE ENGINE, J2EE ENGINE CORE and JEECOR.

Note 2476937 delivers a patch for a critical denial of service vulnerability in the SAP Standalone Enqueue Server which is used to support direct TCP connections between clients and servers that bypass dispatchers and message servers. Attackers can trigger resource exhaustion in the Server using specific requests.  The Note includes kernel patches for SAP Kernel versions 7.21 – 7.53.

Notes 2408073 includes updated instructions for manual activities required to prepare SAP systems to process digitally signed Notes. The note also includes sample files to test the security features once they are enabled.

Note 2357141 includes updated instructions for removing a critical OS command injection vulnerability in Report for Terminology Export. This is a component of the Basis area Terminology and Glossary (transaction STERM) used to maintain standard terminology for management reporting, financial controlling, product development, and other areas.  Report for Terminology Export does not sufficiently validate user input that is used to perform operating commands through the command variable in system calls. The vulnerability could be exploited to perform arbitrary OS commands using the privileges of the underlying service. This could compromise the SAP file system.

SAP updated the priority of Notes 2531241 and 2520772 from High to Hot News based on revised CVSS scores. The Notes were originally released in September and provide corrections for patching SAP Landscape Management (LVM) to prevent the storage of sensitive information including administrative passwords in plaintext within logs that can be read in database tables. The patches released with the Notes prevent LVM from persisting passwords in plaintext but do not remove sensitive information already stored in the logs. Therefore, the solution sections includes instructions for changing passwords and discovering and removing sensitive log entries.

Note 2500044 introduces improved key management procedures through the profile variable jstartup/secure_key in order to prevent attackers from accessing private keys used for instance communication in the J2EE.

Note 2026174 deals with a high risk code injection vulnerability in a component of the Apache Struts framework used by SAP BusinessObjects Enterprise.

Finally, Note 2542426 provides recommendations for removing a privilege escalation vulnerability in the Image Imports component of SAP Assortment Planning.

SAP issued an important update for Hot News Note 2371726 originally released in November 2016. The note addresses a code injection vulnerability in Text Conversion which enables SAP standard text to be replaced by industry specific text. Function module BRAN_DIR_CREATE in Text Conversion enables an authenticated development user to inject operating system commands and execute these from the SAP system via that function. Developer rights through the S_DEVELOP authorization object are required for the successful execution of the exploit. Nonetheless, the note carries a CVSS score of 9.10/ 10 and rates high in terms of impact to data confidentiality, integrity and availability. The note includes corrections for SAP Basis versions 700 – 751 which restrict the range of supported special characters and the directory created by function module BRAN_DIR_ CREATE.

Note 2486657 patches a high-risk directory traversal vulnerability in the API Engine of AS Java which arises from insufficient path validation performed by the Servlet API for resource requests. This could lead attackers to read the content of arbitrary files on servers and expose sensitive data to corruption or deletion. The Note includes instructions for updating versions 7.10 – 7.50 of AS Java to the latest patch level including the vulnerable components ENGINEAPI, J2EE ENGINE, J2EE ENGINE CORE and JEECOR.

Note 2476937 delivers a patch for a critical denial of service vulnerability in the SAP Standalone Enqueue Server which is used to support direct TCP connections between clients and servers that bypass dispatchers and message servers. Attackers can trigger resource exhaustion in the Server using specific requests.  The Note includes kernel patches for SAP Kernel versions 7.21 – 7.53.

Note 2408073 includes updated instructions for manual activities required to prepare SAP systems to process digitally signed Notes. The note also includes sample files to test the security features once they are enabled.

Note 2408073 prepares systems to handle digitally signed SAP Notes. Digitally signed Notes will be issued by SAP in the future to protect against the risk of uploading Notes containing malware.  Digital signatures will support authentication and the identification of changes performed by attackers to SAP-delivered Notes.  SAP recommends only uploading digital signed Notes once they are available.

Note 2518518 should be implemented before Note 2408073 to install new objects  required to support Notes with digital signatures. The Notes will update the Note Assistant tool to verify digital signatures using the SAPCAR utility. SAPCAR must version 7.20, patch level 2 or higher.  The Note Assistant tool will process ZIP files containing Notes downloaded from the SAP Support Portal and log the results of digital signature checks. Notes that fail the digital signature check will be logged in the Application Log (transaction SLG1) and read by the Notes Assistant using the authorization object S_APPL_LOG. For further information, refer to 2537133 – FAQ – Digitally Signed SAP Notes and the Digital Signature User Guide referenced in Note 2408073.

Note 2520064 provides detailed instructions for removing a missing authentication check in the SAP Point-of-Sale (POS) Retail Xpress Server that was originally reported in July. The vulnerability could be exploited by attackers to modify files, capture sensitive information and perform a denial of service.

Notes 2531241 and 2520772 provide corrections for patching SAP Landscape Management (LVM) to prevent the storage of sensitive information including administrative passwords in plaintext within logs that can be read in database tables. The patches released with the Notes prevent LVM from persisting passwords in plaintext but do not remove sensitive information already stored in the logs. Therefore, the solution section includes instructions for changing passwords and discovering and removing sensitive log entries.

Finally, Note 2278931 removes a high-risk code injection vulnerability in Document Management Services. The vulnerability could be exploited by attackers to create backdoors or escalate privileges.

Note 2381071 patches a critical cross-site Ajax vulnerability in the Prototype JS library of BusinessObjects. Ajax is a method often used by JavaScripts to exchange data between servers and clients to update parts of web pages without refreshing or reloading entire pages.  This minimizes network bandwidth usage and also improves response times through rapid operations. Ajax is an acronym for Asynchronous JavaScript and XML since it’s applied via XmlHttpRequest objects that interact dynamically with servers using JavaScript. XMLHttpRequest objects call server-side objects like pages and web services.

Browsers commonly apply a same-origin policy that prevent pages from accessing external resources that have a different scheme, hostname or port than existing pages. However, same-origin policies can be bypassed using procedures such as cross-origin resource sharing.  This could be exploited to transmit or load sensitive data to/ from malicious servers.  The cross-site Ajax request vulnerability addressed by Note 2381071 applies to versions 4.0 – 4.2 of BusinessObjects. Corrections are included in the patch levels for each relevant support package.

Note 2486657 deals with a high-risk directory traversal vulnerability in the NetWeaver AS Java Web Container. The Web Container is a component of the J2EE Engine and provides the runtime environment for Java applications including servlets and BSPs.

It receives HTTP requests from clients via the AS Java dispatcher. The requests are processed by applications in the Web Container to access business objects in the EJB Container. Note 2486657 improves input validation for file paths to prevent applications using the Servlet API exposing resources in parent directories or other directories outside the application context.

Other important notes include Notes 2376081, 2423540, 2524134 and 2280932 that patch a code injection vulnerability impacting iviews in Visual Composer, a URL redirection vulnerability in the SAP NetWeaver Logon Application, and a missing authorization check in the Security Provider Service.

Note 2442993 deals with a high-risk vulnerability in the Host Agent for SAP HANA. The Host Agent is automatically installed with every SAP instance on NetWeaver 7.02 and higher. The stand-alone component is used for controlling and monitoring SAP and non-SAP instances, databases and operating systems. Note 2442993 recommends upgrading to version 7.21 PL25 to remove a vulnerability in earlier versions that could be exploited by attackers to shutdown the Host Agent through malicious SOAP requests used for cross-platform communication via transport protocols such as HTTP and XML. A shutdown of the Host Agent could interrupt the availability of SAP services and explains the high CVSS score of 7.5/10 within the Note. Detailed instructions for upgrading the Host Agent are available in Note 1031096. The command ./saphostexec -upgrade should be performed after steps 1-4 outlined in the installation section of the Note.

Note 2476601 has an even higher CVSS score of 8.1/10. The note removes missing authentication checks in the SAP Point-of-Sale (POS) Xpress Server. The POS Xpress Server integrates components within the SAP POS suite including applications, clients and databases. Xpress Servers with Internet connectivity are particularly vulnerable to exploits targeting the missing authentication checks patched by the Note.

Note 2478377 recommends upgrading Sybase products impacted by Sweet32 attacks that target design weaknesses in some 64-bit block ciphers such as Triple-DES and Blowfish commonly used by the Internet protocols TLS, SSH and IPSec. The Sweet32 attack was discovered by researchers from the French National Research Institute for Computer Science (INRIA) in 2016 and can be used to recover HTTP session cookies in some specific scenarios.

Notes 2100926, 2184221 and 2185122 introduce switchable authorization checks for certain RFC enabled function modules in Business Warehouse, Public Services, and Master Data Governance. Switchable authorization checks supplement checks for the S_RFC authorization object and should be activated using transaction SACF.

Note 2416119 was reissued in June with updated release information and solution instructions.  The note provides instructions for maintaining the property URLCheck ServerCertificate in Java Application Servers. The instructions are intended to mitigate the risk of man-in-the-middle attacks by securing client-server HTTPS connections. Certificates signed by Certificate Authorities should be maintained in client keystores to avoid possible failures in HTTPS calls. Detailed instructions are available in the Manual Activities section of Note 2416119 and in the Resolution section of Note 2452615.

Note 2444321 corrects a program error in the SsfVerifyEx function of the SAP Common Cryptographic Library (Common CryptoLib). The error can lead to a failure in authorization and authentication checks for certificates.  SAP-delivered applications do not use the vulnerable SsfVerifyEx function.  However, SsfVerifyEx may be called by custom programs through the function module SSFW_KRN_VERIFY within the SSFW function group and the method VERIFY_XML within the SAP class CL_SEC_ SXML_DSIGNATURE.

Notes 2313631 and 2389181 deal with Denial of Service vulnerabilities impacting  the Launchpad and Central Management Console (CMC) within Business Intelligence  and the Instance Agent Service (sapstartsrv), respectively. The Launchpad and CMC are popular portals used to access BI content.

Sapstartsrv is a host-level service for controlling and monitoring SAP processes.

Note 2427292 includes corrections for an information disclosure vulnerability in the Microsoft Management Console (MMC) that could enable attackers to discover the password of hidden users. The credentials could be used to start or stop Java systems via the MMC Web Service.

Note 2380277 addresses a high priority memory corruption vulnerability in the GUI control component of the Internet Graphics Server (IGS). GUI control is a self-contained component of the presentation server in ABAP systems. The Note contains corrections for logical errors in memory management within the component. The errors could be exploited by attackers to extract sensitive information or perform a denial of service by provoking a buffer overflow or underflow. This is caused by specially crafted commands or objects that force GUI Control to perform out-of-bounds memory reads. For detailed information, refer to CVE-2015-8540.

Note 2462813 provides instructions for securing dynamic selections in SQL queries using the function module FREE_SELECTIONS_RANGE_2_WHERE. The instructions are intended to mitigate SQL injection attacks against the Revenue Accounting application in SAP ERP. Successful SQL injection exploits can lead attackers to perform administrative database operations including reading, modifying and deleting sensitive data.

Note 2433777 deals with authorization errors in the ABAP File Interface used to edit files stored in SAP application servers. The Interface does not effectively perform authority checks for file or path names containing specific control characters. This could enable attackers to access restricted files. As a result, the corrections packaged with the Note disable the ABAP statements OPEN DATASET and DELETE DATASET for file names with control characters.

Note 2441560  removes a denial of service vulnerability in SAPCAR that could be exploited by attackers to gain root access to  servers processing prepared archives. SAPCAR is a utility that is used to compress and decompress files delivered by SAP. SAPCAR 7.21 should be updated to patch level 816 or higher to address the vulnerability.