Layer Seven Security

SAP Security Notes, June 2024

Note 3460407 patches a high priority denial of service vulnerability in the Meta Model Repository of SAP NetWeaver Application Server Java (AS Java). The vulnerability impacts version 7.50 of the software component MMR_SERVER. There are no workarounds available.

Note 3457592 deals with reflected and stored cross-site scripting vulnerabilities SAP Financial Consolidation reported in CVE-2024-37177 and CVE-2024-37178. The note encodes URL parameters to prevent the exploitation of the vulnerabilities.

Note 3466175 patches an access control issue related to the management of incoming payment files in SAP S/4HANA that could lead to an escalation of privileges. The impacted versions of S4CORE are 102-108.

A similar vulnerability is patched by note 3465455 in SAP BW/4HANA. After applying the note, it will not be possible to execute arbitrary functions within SAP BW/4HANA Transformation and DTP. Only functions/methods explicitly defined in the allowlist mentioned in the manual correction instructions can be executed to avoid any misuse.

Note 3425571 fixes an information disclosure vulnerability in NetWeaver AS Java that could lead to the leakage of server information. A workaround is detailed in the note to disable the impacted caf~eu~gp~model~eap application in the Guided Procedures component of AS Java.

SAP Security Notes, May 2024

Hot news note 3448171 patches a critical file upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform. The correction delivered in the note changes the default configuration to prevent file uploads without signatures in the FILESYSTEM and SOMU_DB of the Content Repository. The workaround detailed in the note provides manual steps for applying the secure configuration using transaction OAC0.

Note 3455438 addresses CSS injection and remote code execution vulnerabilities in SAP CX Commerce. Swagger UI in CX Commerce is using is vulnerable to CVE-2019-17495 (CSS injection). This vulnerability enables the attackers to perform Relative Path Overwrite (RPO) in the CSS-based input fields. Apache Calcite Avatica 1.18.0 in CX Commerce is vulnerable to CVE-2022-36364 (Remote code execution). The note removes extensions that use Swagger UI. It also updates Avatica to a secure version.

Note 3431794 fixes a high-risk cross site scripting vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) Platform. BOBJ is vulnerable to stored XSS allowing an attacker to manipulate a parameter in the Opendocument URL. User input is sanitized by the correction delivered via the note to address the vulnerability.

Notes 3450286 and 3448445 addresses stored cross site scripting vulnerabilities in SAP NetWeaver AS ABAP that can lead to code injection and session hijacking due to insufficient encoding of URL parameters.

Note 2174651 patches an information disclosure vulnerability in the Integration Directory of SAP Process Integration (PI) that could enable attackers to discover sensitive information such as usernames and passwords.

SAP Security Notes, April 2024

Note 3434839 deals with a high-priority security misconfiguration in the User Management Engine of SAP NetWeaver AS Java. User passwords created using self-registration are not subject to password complexity requirements defined in UME settings. The misconfiguration impacts version 7.50 of AS Java. The password policy can be enforced by updating the impacted software components to the recommended versions specified in the note. Disabling user self-registration and the ability of users to modify their profiles is recommended a temporary workaround if the components cannot be upgraded in a reasonable timeframe.

Note 3421384 patches an information disclosure vulnerability in the Web Intelligence application of SAP BusinessObjects Business Intelligence that could enable attackers to access sensitive operating system information. The note includes support package patches to address the vulnerability. Since the vulnerability arises from the reading of arbitrary Excel files, a workaround can be applied by removing the service Excel Data Access from all Adaptive Processing Servers.

Note 3438234 addresses a directory traversal vulnerability in SAP Asset Accounting caused by insufficient validation of user-provided path information. The correction included in the note verifies the path information against logical filenames. The vulnerable programs RAALTE00 and RAALTD01 can be protected using authorization groups as a workaround.

SAP Security Notes, March 2024

Hot news note 3425274 deals with a critical code injection vulnerability in applications developed with SAP Build Apps. The note recommends rebuilding applications with version 4.9.145 or later.

Hot news note 3433192 patches a code injection vulnerability in the Administrator Log Viewer plug-in of SAP NetWeaver AS Java. The plug-in allows threat actors with the Administrator role to upload potentially dangerous files that could be exploited to run arbitrary commands. The corrections included in the note block the upload of dangerous file types and supports virus scanning for uploaded files.

Note 3414195 includes support package patches for SAP BusinessObjects Business Intelligence (BOBJ) version 4.3 SP02 – 05 to address a high-priority path traversal vulnerability in the Central Management Console. The vulnerability arises from a version of Apache Struts included in BOBJ which is vulnerable to CVE-2023-50164.

Note 3410615 corrects a Denial-of-Service vulnerability impacting SAP HANA XS. The DoS can be triggered by a high volume of HTTP/2 requests. The HTTP/1 protocol is not affected. A workaround can be applied by setting the Web Dispatcher parameter icm/HTTP/support_http2 to false to disable support for the HTTP/2 protocol.

Note 3346500 was updated with revised solution information for a high-risk authentication vulnerability in SAP Commerce Cloud. The solution changes the default value of the property user.password.acceptEmpty to false to prevent the use of empty passphrases for user authentication.

SAP Security Notes, February 2024

Hot news note 3420923 patches a critical code injection vulnerability in the Web Survey component of Application Basis. Prerequisite note 1110803 is required to apply the correction for versions 700-710 and note 1354949 is required for version 711. As a workaround, remote calls to function modules of CA-SUR can be restricted using authorization object S_RFC.

Note 3417627 addresses a high-risk cross-site scripting vulnerability in the User Admin Application of SAP NetWeaver Application Server Java (AS Java). The vulnerability is a side effect of improper encoding and validation introduced with note 3251396.

Note 3426111 secures an XML parser in the Guided Procedures component of AS Java to patch an XML External Entity (XXE) injection vulnerability. The vulnerability can be exploited by threat actors to read sensitive files. The note includes details of a workaround that requires disabling the vulnerable caf-eu-gp-model-iforms-eap application.

Notes 3424610 and 3410875 deal with broken authentication and cross-site scripting vulnerabilities in the SAP Cloud Connector and SAP CRM, respectively.

SAP Security Notes, January 2024

Hot news note 3412456 deals with a critical privilege escalation vulnerability impacting the development platforms SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA. Applications in the node.js JavaScript runtime environment are vulnerable to CVE-2023-49583. Applications developed using @sap/xssec library versions earlier than 3.6.0 and @sap/approuter versions earlier than 14.4.2 are impacted. node.js application dependencies should be upgraded with the latest versions of the libraries @sap/approuter and @sap/xssec.

Hot news note 3413475 deals with another privilege escalation vulnerability. This impacts SAP Edge Integration Cell used to design, deploy and manage APIs with SAP Integration Suite. Edge Integration Cell should be upgraded to version 8.9.13 to mitigate the vulnerability. There is no available workaround.

Note 3389917 includes corrections for a high-priority denial of service vulnerability in the Internet Communication Manager (ICM) of SAP NetWeaver Application Server ABAP and SAP Web Dispatcher. The DOS can be triggered by threat actors through a high volume of HTTP/2 requests. Support for the HTTP/2 protocol can be disabled in effected versions of the ICM and Web Dispatcher by the setting parameter icm/HTTP/support_http2 to FALSE. NetWeaver Application Server Java is not impacted since it does not support HTTP/2.

Note 341186 patches a code injection vulnerability in the File Adapter within SAP Application Interface Framework that enables privileged users to execute OS commands using a vulnerable function module.

Note 3407617 details manual steps for correcting a missing authorization check in SAP LT Replication Server running on SAP S/4HANA 1809 to 2023. The steps involve restricting the permissions of the user for LT Replication Server background jobs.

SAP Security Notes, December 2023

Hot news notes 3350297 and 3399691 patch a critical OS command injection vulnerability in SAP S/4HANA and ECC. The notes are only applicable for installations with active IS-OIL software components. You can use transaction SFW_BROWSER to check the status of the OIB_QCI and OI0_COMMON_2 switches in BUSINESS_FUNCTION_BASIS_COM and COMMODITY_MGMT_&_BULK_LOGISTIC. IS-OIL is active if both switches are on. The notes are not relevant if only the OI0_COMMON_2 switch is on. The corrections in the notes will remove the Test Selected Routines option in report ROIB_QCI_CALL_TEST and block direct execution of Function Module OIB_QCI_SERVER.

Note 3411067 corrects multiple high-risk vulnerabilities in security integration libraries and programming infrastructure in the SAP Business Technology Platform (BTP) that could be exploited to escalate privileges. The note applies to all customers with applications developed on SAP BTP. The libraries are used to perform authentication and authorization checks calling SAP BTP Cloud Foundry Authorization and Trust Management Service (XSUAA) and SAP Cloud Identity Services – Identity Authentication (IAS). Customers should update the relevant integration libraries and programming infrastructure specified in the note to the recommended versions.

Note 3385711 provides a server-side fix in SAP NetWeaver AS ABAP for an information disclosure vulnerability that can be exploited in the SAP GUI clients for Windows and Java. The solution enables an authentication check to address the vulnerability.

Notes 3394567 and 3382353 deal with access control and cross-site scripting vulnerabilities in SAP Commerce Cloud and SAP BusinessObjects Business Intelligence, respectively.

SAP Security Notes, November 2023

Hot News note 3355658 patches a critical missing authentication check vulnerability in SAP Business One. The vulnerability has a CVSS Base Score of 9.6/10 with a high impact to confidentiality, integrity and availability. SAP Business One allows read and write-access to SMB shared folders to anonymous users. The impacted components are the Crystal Reports (CR) shared folder, Traditional Mobile app (attachment path), RSP (log folder logic), Job Service and BAS (file upload folder). The correction in the note modifies SMB shared folder permissions to only grant read and write access to authenticated and authorized users.

Note 2494184 was updated for a Cross-Site Request Forgery (CSRF) vulnerability impacting multiple SAP Sybase solutions including ASE, Event Stream Processor IQ, Replication Server, and SQL Anywhere.

Note 3362849 addresses an information disclosure vulnerability impacting the Internet Communication Manager (ICM) in SAP NetWeaver Application Server ABAP. The required kernel patches to correct the vulnerability are specified in the note.

Note 3366410 patches an information disclosure vulnerability in SAP NetWeaver Application Server Java that allows attackers to brute force the Java Logon application to discover legitimate user IDs. The vulnerability impacts version 7.50 of the J2EE Engine Server Core.

SAP Security Notes, October 2023

Hot news note 3340576 patches a critical missing authorization check in the SAP Common Cryptographic Library (CommonCryptoLib) that could enable attackers to escalate privileges. CommonCryptoLib is installed in multiple SAP products including SAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premise, as well as SAP HANA Database, SAP Web Dispatcher, and SAP Host Agent. The installation of CommonCryptoLib 8.5.50 or higher in impacted products is recommended to address the vulnerability. This can be performed by upgrading the relevant software components to the recommended versions detailed in the note.

Note 3333426 was updated for a Server-Side Request Forgery (SSRF) in the GRMG Heartbeat application of SAP NetWeaver AS Java. The vulnerability could lead to information disclosure that could be used to perform further attacks against AS Java. The update impacts support packs 25 and 26 for the software component LM-CORE.

Notes 3324732 and 3371873 address a log injection vulnerability in the Log Viewer of AS Java. The support package patches specified in the note implement encoding and validation for user input to address the vulnerability in the impacted components.

Notes 3372991 and 3357154 patch Cross-Site Scripting (XSS) and missing XML validation vulnerabilities in SAP BusinessObjects and SAP PowerDesigner Client, respectively.

SAP Security Notes, September 2023

Hot news notes 3245526 and 3320355 patch critical code injection and information disclosure vulnerabilities in SAP BusinessObjects Intelligence Platform (BOBJ). Note 3245526 was re-released in September with updated support package and patch level details. The note patches a command injection vulnerability that can be exploited to escalate privileges in the platform. The vulnerability impacts the Enterprise component in BOBJ versions 4.2 and 4.3.

Note 3320355 removes sensitive information in responses from Promotion Management in BOBJ to clients in order to prevent information disclosure that could lead to the complete compromise of the application. Attackers require access to the promotion job folder for exploitation of the vulnerability. A temporary workaround can be applied by removing rights to the folder from users that do not require access.

Note 3370490 addresses a high-priority cross-site scripting vulnerability in the BOBJ Web Intelligence HTML interface. Due to insufficient file type validation, the Web Intelligence HTML interface allows a report creator to upload files from the local system into a report over the network. When uploading an image file, an authenticated attacker could intercept the request, modify the content type and the extension to read and modify sensitive data. The solution included in note 3370490 patches the vulnerability by blocking unauthorized file types.

Note 3327896 removes a high-risk buffer overflow vulnerability in the SAP Common Crypto Library that could be exploited to trigger a denial of service. A manipulated data package with a corrupted SNC NAME ASN.1 structure can lead to a parser error and crash the application. Customers should upgrade to CommonCryptoLib to 8.5.49 or higher.