Layer Seven Security

SAP Security Notes, December 2022

Hot news notes 3267780 and 3273480 patch critical broken authentication vulnerabilities in SAP NetWeaver Application Server Java (AS Java). Threat actors can exploit the vulnerabilities to attach to an open interface exposed through JNDI by the Messaging System and User Defined Search (UDS) of SAP NetWeaver AS Java. Once attached, they can make use of an open naming and directory API to access services and read and modify sensitive information, execute SQL commands, and perform a denial of service. There are no workarounds for the vulnerabilities. The notes apply access control for the interface. After the implementation of the correction, full access to the interface will require UME role SAP_XI_ADMINISTRATOR_J2EE. Read and write access will require roles SAP_XI_CONFIGURATOR_J2EE and SAP_XI_DEVELOPER_J2EE. Read-only access can be provided using role NWA_READONLY.

Note 3239475 deals with a critical Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability enables attackers with non-administrative privileges to upload/replace any file in the operating system of the Business Objects server, thereby taking full control of the system. Both the Central Management Console (CMC) and BI Launchpad (BILP) on BOBJ 4.2 and 4.3 are impacted.

Hot news note 3271523 patches a remote code execution vulnerability associated with Apache Commons Text in SAP Commerce, an open-source Java library that performs variable interpolation. Versions 1.5 – 1.9 of Apache Commons Text include interpolators that can be used to execute arbitrary code or connect with remote servers. The library should be updated to 1.10 to disable the vulnerable interpolators. Note 3271523 includes instructions for locating and updating the affected .jar files manually.

SAP Security Notes, November 2022

Hot news note 3243924 for CVE-2022-41203 patches a critical vulnerability related to insecure deserialization of untrusted data in the Central Management Console (CMC) and BI Launchpad of SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability impacts versions 4.2 and 4.3 of BOBJ and can be exploited by threat actors to bypass authentication, inject malicious code, or provoke a denial of service. As a workaround, customers can first backup and then delete the files in the following folders of the Tomcat directory:



The workaround disables the selection of the format in the creation of a Publication or a Schedule. It will cause a HTTP 404 page in the Format area when trying to schedule a document. This impacts the CMC only. There is no impact on the BI Launchpad.

Note 3256571 for CVE-2022-41214 addresses multiple high-risk directory traversal vulnerabilities in NetWeaver Application Server ABAP (AS ABAP). The vulnerability is caused by insufficient path validation that enables attackers to access remote-enabled function modules to read and delete restricted files in AS ABAP.

Note 3249990 deals with denial of service vulnerabilities in SQlite bundled with SAPUI5 that can be triggered by array-bounds overflow.

SAP Security Notes, October 2022

Hot news note 3239152 patches a critical URL redirection vulnerability in SAP Commerce Cloud. The vulnerability can be exploited to manipulate URLs and redirect users to logon pages controlled by threat actors. User submissions served by attacker-controlled servers can be used to steal logon credentials and hijack accounts. Note 3239152 includes a fix for specific versions of SAP Commerce Cloud. Workarounds are also detailed in the note if the patches cannot be applied. This includes removing the OAuth extension and URL filtering. The latter can be implemented using website redirects in SAP Commerce. However, there are known side-effects with the workarounds. For example, the OAuth extension is required by SmartEdit Module, Assisted Service Module, and other extensions. OAuth may also be required for integrations.

Note 3242933 provides a fix for critical directory traversal vulnerability in SAP Manufacturing Execution that could lead to information disclosure. The effected plugins are Work Instruction Viewer (WI500) and Visual Test and Repair (MODEL_VIEWER).

Note 3229132 patches an information disclosure vulnerability in Program Objects within SAP BusinessObjects Business Intelligence Platform that could be exploited to compromise OS credentials. The credentials are exposed in clear-text to administrators.

Note 3232021 deals with a buffer overflow vulnerability in SAP SQL Anywhere and SAP IQ that can be used to trigger a denial of service in database servers.

Notes 3245929 and 3245928 patch multiple high-risk vulnerabilities in SAP Visual Enterprise Viewer.

SAP Security Notes, September 2022

Note 3237075 patches a high priority vulnerability in SAP GRC Access Control that could be exploited by attackers to access Firefighter sessions even after they are closed in the Firefighter Logon Pad. Firefighter IDs are dedicated user identities with elevated privileges that are activated when required and controlled through Emergency Access Management (EAM) in SAP GRC. Note 3237075 provides a patch to detect active Firefighter sessions using SM04 and SM05 information. To properly retrieve the SM05 data, the GRC RFC user will require authorization object S_ADMI_FCD with value PADM. According to SAP, the implementation of the correction will lead to a slight degradation in performance due to the additional time required for the SM04 check during logon. This only affects the central system.

Note 3213507 resolves a privilege escalation and information disclosure vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) that could lead to the retrieval and modification of sensitive system data from the Central Management Server (CMS) and Monitoring DB. Note 3217303 patches a similar vulnerability in the BOBJ Central Management Console (CMC).

Notes 3223392 and 3226411 deal with high-risk privilege escalation vulnerabilities in SAP Business One and SAP SuccessFactors, respectively. The vulnerabilities can be exploited to gain system privileges.

Finally, note 2998510 was updated to clarify that sysmon is not the only OS application that can be exploited to compromise authentication credentials for the CMS in BOBJ. Also, the vulnerability impacts BOBJ installations operating from both Linux/ Unix and Windows platforms.

SAP Security Notes, August 2022

Note 3102769 was rereleased in August with updated solution information. The workaround detailed in the original note has been moved to the new note 3221696. The workaround provides steps for deactivating the SAP IKS component to address a high priority cross-site scripting (XSS) vulnerability in SAP Knowledge Warehouse.

Note 3150454 was also updated to enforce authorization checks in lower SP levels of SAP NetWeaver Application Server ABAP when RFC destinations are modified using transaction SM59.

Note 3210823 addresses an information disclosure vulnerability in Open Document within SAP BusinessObjects Business Intelligence Platform (BOBJ). Open Document is a web application that processes incoming URL requests for documents and other objects. The vulnerability can be exploited by unauthenticated attackers to retrieve sensitive information over the network. The impacted versions of BOBJ are 4.2 SP009 and 4.3 SP002 – SP003.

Notes 3213524 and 3213507 patch lower-priority information disclosure vulnerabilities in the commentary and monitoring databases of SAP BOBJ that could lead to the exposure of sensitive system data. The vulnerabilities require network access for successful exploitation.

SAP Security Notes, July 2022

There were several high priority security notes released in July for multiple vulnerabilities in SAP Business One. Note 3212997 patches an information disclosure issue that arises during the integration between Business One and SAP HANA. The vulnerability can be exploited to access privileged account credentials through the HANA cockpit’s data volume. Customers can switch from XPath passwords to explicit passwords in the FTP Adapter as temporary workaround.

Note 3157613 deals with a missing authentication check in the License Service API of Business One that could enable attackers to provoke a denial of service.

Note 3191012 resolves a code injection vulnerability in Business One that enables threat actors to upload and execute malicious executable files, such as exe, bat, and other script or binary file types. The note blocks the upload of file types included in the Microsoft block list.

Notes 3221288 and 3213141 patch vulnerabilities that can lead to the leakage of token information and access credentials for SAP BusinessObjects Business Intelligence and SAP Landscape Management, respectively.

SAP Security Notes, June 2022

Note 3158375 patches a high priority vulnerability in the SAProuter that can be exploited by attackers to execute administration commands from remote clients. The SAProuter is designed to accept administration commands from local clients only. However, this restriction can be bypassed in installations with specific entries in the saprouttab, the root permission table for the SAProuter. Entries that use the P or S prefix with a wildcard in target host and either a wildcard in the target port or the default port 3299 are vulnerable to the exploit. The use of wildcards in target host and target port for P and S entries is not recommended by SAP. Refer to SAP note 1895350 for details. The use of specific hostnames or IP addresses for target hosts will provide a temporary fix for the vulnerability. However, SAProuter versions 7.22 and 7.53 should be patched to patch levels 1119 and 1011, respectively, to permanently address the vulnerability. Kernel patches are also included in note 3158375.

Note 3197005 deals with a privilege escalation vulnerability in SAP PowerDesigner Proxy. The vulnerability can enable attackers with non-administrative privileges to work around a system’s root disk access restrictions to write or create a program file on the system disk root path, which could then be executed with the elevated privileges of the application during application start up or reboot.

Note 2726124 patches missing authorization checks in multiple components of SAP Automotive Solutions that can also lead users to escalate privileges.

Note 3147498 removes an access control gap in SAP NetWeaver Application Server Java to restrict access to remote objects such as adminadapter services.

SAP Security Notes, May 2022

Hot news note 3165801 patches a critical missing authorization check in SAP NetWeaver Application Server ABAP. The notes introduces an authorization check for object S_OC_SEND to prevent the transmission of the contents of ABAP list output from the System Menu via e-mail. The note impacts all versions of SAP_BASIS from 700 to 788.

Notes 2756188 and 2754555 patch Cross-Site Request Forgery (CSRF) vulnerabilities in the front end and back end of Bank Payments of the Fiori UI for Financial Accounting.

Note 2998510 provides a fix for an information disclosure vulnerability in the Central Management Server (CMS) of SAP BusinessObjects that could lead to the leakage of authentication credentials in Sysmon event logs.

Central note 3170990 was updated with note 3189409 to include a patch for the critical Sping4Shell Remote Code Execution vulnerability in SAP Business One Cloud.

SAP Security Notes, April 2022

The central note 3170990 consolidates security notes for the critical Spring4Shell vulnerability. Spring4Shell is addressed by CVE-2022-22965. This is related to a remote code execution vulnerability in the open-source Java Spring Framework. Successful exploitation requires Apache Tomcat for serving applications built as a WAR file. Notes 3189428, 3187290, 3189429, 3189635 and 3171258 patch Sping4Shell in multiple SAP Solutions including SAP HANA Extended Application Services, PowerDesigner Web and SAP Commerce.

Hot news notes 3022622 and 3158613 fix a code injection vulnerability in SAP Manufacturing Integration and Intelligence. The vulnerability can be exploited by threat actors to escalate privileges and execute OS commands. The notes block the saving of Java Server Pages (JSP) through the SSCE (Self Service Composition Environment).

Note 3111311 provides solutions for a high priority Denial of Service vulnerability in the Web Dispatcher and Internet Communication Manager. The vulnerability is caused by a program error related to parameter icm/HTTP/file_access. The parameter defines static file access for URL prefixes and the target directory for static files.

SAP Security Notes, March 2022

Note 3123396 patches SAP NetWeaver Application Server ABAP and the Web Dispatcher for CVE-2022-22536. This is related to the ICMAD (Internet Communication Manager Advanced Desync) vulnerability that was the subject of alerts from multiple threat intelligence agencies including CISA and CERT-EU.

ICMAD is a memory corruption vulnerability that can be exploited through a single HTTP request to fully compromise SAP systems, remotely and without authentication. This impacts AS ABAP and the Web Dispatcher when they are accessed through an HTTP gateway. For AS ABAP, the gateway could be the Web Dispatcher. The vulnerability does not impact direct access to SAP application servers.  SAP Kernels and Web Dispatchers should be updated to the minimum patch levels detailed in the note. The workaround detailed in note 3137885 can be applied as a stop-gap measure if the patches cannot be implemented at short notice. For access through the Web Dispatcher, refer to 3137885 to ensure that Web Dispatcher installations meet the minimum patch level. To apply the workaround, the profile parameter wdisp/additional_conn_close should be set to TRUE. For more details, refer to note 3138881.

Note 3123427 patches ICMAD in AS Java. The workaround recommended in the note can be applied using the parameter setting icm/handle_http_pipeline_requests=FALSE if support for HTTP pipeline requests is not required.

The central note 3131047 for the critical remote code execution vulnerability in the Apache Log4J 2 component was updated with the addition of security note 3154684. The new note patches Log4Shell in the mobile solution SAP Work Manager.