Layer Seven Security

SAP Security Notes, January 2021

Hot News note 2983367 corrects a code injection vulnerability in Master Data Management in SAP Business Warehouse and SAP BW4HANA. The vulnerability could be exploited to execute privileged OS commands. The correction introduces a hard coded report name which can only be executed by a legitimate user in release 7.30. The note removes the impacted function in BW/4HANA.

Hot news note 2999854 patches a similar code injection vulnerability in SAP Business Warehouse and SAP BW4HANA. The note improves input validation to prevent the injection and execution of malicious code through the impacted function module.

Note 3000306 removes a high-risk Denial of service (DOS) vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) and ABAP Platform. The note blocks the parallel execution of demo examples from the web version of ABAP Keyword Documentation to prevent resource exhaustion.

Finally, note 2993132 is updated for a missing authorization check impacting a RFC-enabled function module in SAP NetWeaver AS ABAP and SAP S4 HANA.

SAP Security Notes, December 2020

Hot News note 2983367 patches a severe OS command injection vulnerability in SAP Business Warehouse Master Data Management (MDM) and BW4HANA. For release 7.30, the note binds the execution of the affected function module to a hard coded report and legitimate users. For release 7.40 and higher, the note removes the vulnerable function altogether.

Note 2974774 deals with a missing authentication check in P2P Cluster Communication within SAP NetWeaver Application Server Java (AS Java). P2P Cluster Communication supports message exchange between server nodes within a cluster. The note provides a correction to prevent connections from outside the cluster that could be abused to perform administrative functions including system shutdowns. As a workaround, the message server access control list can be modified to allow P2P connections from only trusted IP addresses. Also, network firewall rules can be used to block external access to the P2P port.

Hot News note 2979062 includes an update for a critical privilege escalation vulnerability in the UDDI server of AS Java. The vulnerability can be exploited to completely compromise the confidentiality, integrity and availability of the server OS. The update provides fixes for version SR UI 7.40, SP 017 & SR UI 7.31, SP 022.

SAP Security Notes, November 2020

Hot News note 2973735 patches a code injection vulnerability in SAP AS ABAP and S/4 HANA. The note introduces an authorization check for object S_DMIS to control the execution of a vulnerable function module by RFC. The function module is used for checking the syntax for a table selection query.  Attackers can abuse the function module to inject malicious ABAP code that could lead to the complete compromise of the affected system.

Note 2982840 addresses multiple critical vulnerabilities in SAP Data Services, including remote execution and denial of service.

Hot News notes 2985866 and 2890213 remove missing authentication checks in the LM-SERVICE within the Java stack of SAP Solution Manager.

Finally, note 2979062 deals with a privilege escalation vulnerability in the UDDI Server of SAP NetWeaver Application Server for Java. The vulnerability could be exploited to execute arbitrary OS commands and compromise the operating system.

SAP Security Notes, October 2020

Hot news note 2969828 patches a OS command injection vulnerability in CA Introscope Enterprise Manager (EM) installed in SAP Solution Manager and SAP Focused Run. EM can be used to monitor the performance of Java applications. The note includes a patch for EM 10.7 and 10.5 SP2 patch 2 to remove the vulnerability. Earlier versions need to be upgraded to version before applying the patch. The EM service can be stopped in systems if the patch can not be immediately applied. Stopping the service will not impact the Cybersecurity Extension for SAP Solution Manager since the service is not required by the extension.  

Note 2969457 removes a missing XML Validation in Compare Systems within SAP NetWeaver that can be exploited to read arbitrary OS files and provoke a denial of service.

Note 2972661 patches a high priority reflected cross site scripting vulnerability in the SAP NetWeaver Composite Application Framework.

Notes 2941315 and 2898077 contain important updates for a missing authentication check in SAP NetWeaver AS JAVA and information disclosure in SAP Business Objects Business Intelligence Platform, respectively.

SAP Security Notes, September 2020

Hot News note 2958563 patches a critical code injection vulnerability in SAP Business Warehouse. The vulnerability targets specific function modules to assume complete control of BW including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It impacts BW releases up to 7.40 running on SAP Adaptive Server Enterprise (ASE) 15.7 and 16.0. BW installations running on other database platforms are not impacted.

Note 2961991 patches SAP Marketing by blocking the ability of authenticated attackers to invoke certain functions in the vulnerable Mobile Channel Servlet. The fix will block unwanted URLs via web.xml and scan the payloads of /$batch requests. The workaround in note 2962970 can provide an interim fix if note 2961991 cannot be immediately implemented.

Note 2941667 includes updated correction instructions for an OS command injection vulnerability in NetWeaver AS ABAP. The note impacts the  batch input recorder report RSBDCREC when executed outside the context of transaction SHDB.

Notes 2902456 and 2912939 are also updated for a privilege escalation vulnerability in SAP Landscape Management and a Server Side Request Forgery vulnerability in AS ABAP, respectively.

SAP Security Notes, August 2020

Hot News note 2928635 patches a critical code execution vulnerability in SAP Knowledge Management (KM). KM supports the automatic execution of potentially malicious scripts in stored files without authentication. The note recommends disabling the option for Force Text Download to remove the vulnerability. Force Text Download is a parameter of the WebDAV Protocol. WebDAV includes HTTP extensions to support file management on remote web servers. Content management operations in KM are performed by methods that conform to the WebDAV protocol. Force Text Download is deactivated by default. This prevents the opening of files containing malicious scripts. The Malicious Script Filter can be used to encode executable scripts in files uploaded to KM repositories and therefore block the execution of the scripts. Encoded scripts can be decoded using the Malicious Script Handler. Note 2938162 removes a broken authentication vulnerability in KM that enables unauthenticated users to upload files to content repositories.

Note 2941667 introduces authorization checks for report RSBDCREC when executed directly without transaction SHDB. This could be exploited to inject malicious code in recordings or extensions. The note extends checks for authorization object S_BDC_MONI to the report and adds checks for authorization object S_DEVELOP for a central API.

Note 2941315 patches a missing authentication check in a web service that could be exploited to provoke a denial of service in SAP NetWeaver AS JAVA.  Note 2927956 mitigates a missing authentication check for the Unix Xvfb daemon required by SAP BusinessObjects Business Intelligence. The vulnerability could enable attackers to capture keystrokes and screen captures using the X server in SAP hosts.

SAP Security Notes, July 2020

Hot News Note 2934135 patches the critical RECON vulnerability in NetWeaver Application Server Java (AS Java). RECON targets a missing authentication flaw in the LM Configuration Wizard of AS Java to execute malicious code that creates administrative users in compromised systems. Attackers can exploit RECON to compromise not only AS Java systems but also connected systems.

Note 2934135 introduces authentication and authorization for the LM Configuration Wizard and therefore secures against RECON attacks. KBA 2948106 includes FAQs to support the implementation of the note. As a workaround, the application tc~lm~ctc~cul~startup_app can be disabled if the note cannot be applied. Procedures for disabling the LM Configuration Wizard are detailed in SAP Note 2939665.

Note 2932473 removes a high-risk information disclosure vulnerability in the XMLToolkit of AS Java. The vulnerability could be exploited to read arbitrary files including files containing sensitive system configuration data.

Note 2734580 includes updated instructions for patching another information disclosure vulnerability impacting AS ABAP.  Note 2091403 should be implemented as a prerequisite for 2734580.

SAP Security Notes, June 2020

Hot News note 2928570 patches a critical remote code execution vulnerability in SAP Liquidity Management for Banking. The vulnerability impacts connections using the Apache JServ Protocol (AJP) in Apache Tomcat. AJP connections should be blocked if not required by disabling the AJP Connector. The connections can be exploited to read and process arbitrary files in the Apache web server. This can be abused to perform remote code execution if web applications allow file uploads and the processing of files as JavaServer Pages. Apache Tomcat has been upgraded to harden the AJP Connector. However, SAP does not recommend upgrading the web server. Rather, note 2928570 provides manual procedures for disabling the AJP Connector or securing AJP connections with a secret key.

Note 2918924 provides instructions for removing hard-coded Credentials in SAP Commerce and SAP Commerce Datahub. The use of default passwords for admin and other built-in accounts has been discontinued for new installations of SAP Commerce. Since re-initializing SAP Commerce leads to the deletion of all data in the application, SAP recommends using the scripts in Note 2922193 to remove default credentials in existing installations.  

Note 2933282 removes a missing authorization check that could lead to an escalation of privileges in SAP SuccessFactors Recruiting.

Notes 2906366 and 2734580 includes corrections for high priority information disclosure vulnerabilities in SAP Commerce and SAP NetWeaver Application Server ABAP (AS ABAP), respectively.  

SAP Security Notes, May 2020

Hot News Note 2835979 patches a critical code injection vulnerability in Service Data Download. The vulnerability can be exploited by attackers to inject malicious code into the ST-PI plugin for NetWeaver Application Server ABAP (AS ABAP). This could lead to the complete compromise of ABAP servers.  The vulnerability carries a base CVSS score of 9.9/10 and can be exploited over the network.

Hot News Note 2885244 carries a similar CVSS score of 9.8/10 and can be exploited to bypass authentication using REST Webservices (BIPRWS) for Live Data Connect in the SAP Business Intelligence Platform. The fix packaged with the note enables Live Data Connect to logon to the BI Central Management Server (CMS) with a shared key. This prevents logons to the CMS without a password when using trusted authentication.  The fix is available for version 2.4 of Live Data Connect. Customers using earlier versions are advised to upgrade to version 2.4.

Notes 2917275 and 2917090 patch critical code injection and information disclosure vulnerabilities in the Backup Server and Cockpit of SAP Adaptive Server Enterprise (ASE), formerly Sybase ASE. ASE is a widely used database platform for SAP systems. Note 2917275 applies input validation checks for DUMP and LOAD commands to prevent the execution of malicious user-provided code.  Note 2917090 prevents the disclosure of sensitive system and user data including account credentials. The impacted ASE versions are 16.0 SP02 and SP03.

SAP Security Notes, April 2020

Hot news note 2863731 provides updated correction instructions for a critical deserialization vulnerability in the enterprise Business Objects platform. The Crystal Reports .Net SDK WebForm Viewer in Business Objects could enable attackers with basic authorization to execute deserialization attacks. This could be exploited to perform malicious code execution.

Note 2904480 patches a significant input validation vulnerability in REST XML APIs within SAP Commerce. This could impact the availability and confidentiality of web stores based on the eCommerce platform.

Note 2896682 delivers corrections for a high risk directory traversal vulnerability in Knowledge Management that could enable attackers to overwrite, delete, or corrupt files on SAP servers.

Note 2902645 removes a privilege escalation vulnerability impacting the SAP Host Agent. SAP recommends updating the Agent to at least version 7.21 PL46 to prevent attackers from gaining root privileges over the underlying operating system using the Agent’s Operation Framework. Note 1031096 provides instructions for upgrading the Host Agent.

Finally, notes 2495144 and 2495462 provide switchable authorization checks for specific, sensitive function modules in SAP Central Finance and SAP Leasing. Switchable checks supplement checks for authorization object S_RFC. They should be activated using transaction SACF after the notes are applied.