Layer Seven Security

SAP Security Notes, April 2021

Hot news note 2999854 was updated in April for a critical code injection vulnerability in SAP Business Warehouse and SAP BW/4HANA. BW and BW/4HANA allow a low privileged attacker to inject malicious code using a remote enabled function module over the network. Due to a lack of input validation, users granted RFC access to execute the function module can inject malicious ABAP code. The code is saved persistently in a report in the ABAP repository. The report can then be executed to inject the code, leading to the loss of sensitive data, modification of critical data, or denial of service. Note 2999854 introduces input validation for the effected functions to prevent code injection.

Hot news note 3040210 patches a remote code injection vulnerability in Source Rules of SAP Commerce. SAP Commerce Backoffice allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application. SAP Commerce installations that do not include any extensions from the Rule Engine module are not affected. Note 3040210 addresses this vulnerability by adding validation and output encoding when processing Promotion Rules and other Source Rules.

Note 3022422 includes an updated FAQ for a critical missing authorization check in the MigrationService of SAP NetWeaver Application Server Java (AS Java). The vulnerability could be exploited by attackers to grant administrative privileges by accessing specific configuration objects. The solution included in the note requires a system restart. Note 3030298 includes a temporary workaround if a restart is not possible.

Note 3001824 patches an information disclosure vulnerability in AS Java. Attackers can invoke telnet commands to access NTLM hashes of privileged users. Possible workarounds for the vulnerability include disabling outgoing NTLM traffic by group policy, blocking outgoing SMB requests via appropriate firewall rules, and, for Linux systems, disabling the Samba protocol on all the hosts in a cluster.

SAP Security Notes, March 2021

Hot news note 3022622 patches a critical code injection vulnerability in SAP Manufacturing Integration and Intelligence (MII). SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment). Attackers can target this feature to inject malicious JSP code that include OS commands. The code and commands are executed by MII when dashboards are opened by users. The solution applied via note 3022622 blocks the saving of files as JSP through SSCE. There is no workaround for the vulnerability.

Hot news note 3022422 removes a missing authorization check in the MigrationService of the SAP NetWeaver Application Server Java (AS Java). This could provide unauthorized access to configuration objects including objects that grant administrative privileges. The solution requires a system restart. The workaround in note 3030298 can be applied if a system restart is not possible.

Note 3017378 addresses a high priority authentication bypass vulnerability in SAP HANA installations using external authentication via LDAP directory services. SAP HANA systems and users configured for LDAP are only vulnerable if the connected LDAP directory server is enabled for unauthenticated binds. Some directory servers can be configured to offer an unauthenticated bind via LDAP. In these cases, the SAP HANA database’s handling of LDAP authentication can be misused. An attacker can gain access to an SAP HANA database system without proper authentication through users enabled for LDAP-based authentication.

SAP Security Notes, February 2021

Hot News note 3014121 patches a critical remote code execution vulnerability in SAP Commerce. The Backoffice application in SAP Commerce enables certain users with required privileges to edit drools rules. An authenticated attacker with this privilege is able to inject malicious code in the drools rules, enabling the attacker to compromise the SAP host. This vulnerability affects the DroolsRule item type of the ruleengine extension. The DroolsRule item type exposes scripting facilities via its ruleContent attribute. Changing of ruleContent should normally be limited to highly privileged users, such as members of admingroup. Due to a misconfiguration of the default user permissions that are shipped with SAP Commerce, several lower-privileged users and user groups can gain permissions to change DroolsRule ruleContents and access scripting facilities.

SAP Commerce installations that do not have the ruleengine extension installed are not affected. However, the extension is a common component of SAP Commerce installations. Note 3014121 improves the default permissions that govern change access to scripting facilities of DroolsRules. Script editing facilities for DroolsRules can be disabled in the SAP Commerce Backoffice as a second line of defense.

Note 2986980 was updated for SAP Business Warehouse releases 7.0x. The note patches SQL injection and missing authorization checks in the Database Interface of SAP BW.

Notes 2743329 and 2475705 introduce switchable authorization checks for sensitive RFC-enabled modules in S/4HANA and SAP ECC.

SAP Security Notes, January 2021

Hot News note 2983367 corrects a code injection vulnerability in Master Data Management in SAP Business Warehouse and SAP BW4HANA. The vulnerability could be exploited to execute privileged OS commands. The correction introduces a hard coded report name which can only be executed by a legitimate user in release 7.30. The note removes the impacted function in BW/4HANA.

Hot news note 2999854 patches a similar code injection vulnerability in SAP Business Warehouse and SAP BW4HANA. The note improves input validation to prevent the injection and execution of malicious code through the impacted function module.

Note 3000306 removes a high-risk Denial of service (DOS) vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) and ABAP Platform. The note blocks the parallel execution of demo examples from the web version of ABAP Keyword Documentation to prevent resource exhaustion.

Finally, note 2993132 is updated for a missing authorization check impacting a RFC-enabled function module in SAP NetWeaver AS ABAP and SAP S4 HANA.

SAP Security Notes, December 2020

Hot News note 2983367 patches a severe OS command injection vulnerability in SAP Business Warehouse Master Data Management (MDM) and BW4HANA. For release 7.30, the note binds the execution of the affected function module to a hard coded report and legitimate users. For release 7.40 and higher, the note removes the vulnerable function altogether.

Note 2974774 deals with a missing authentication check in P2P Cluster Communication within SAP NetWeaver Application Server Java (AS Java). P2P Cluster Communication supports message exchange between server nodes within a cluster. The note provides a correction to prevent connections from outside the cluster that could be abused to perform administrative functions including system shutdowns. As a workaround, the message server access control list can be modified to allow P2P connections from only trusted IP addresses. Also, network firewall rules can be used to block external access to the P2P port.

Hot News note 2979062 includes an update for a critical privilege escalation vulnerability in the UDDI server of AS Java. The vulnerability can be exploited to completely compromise the confidentiality, integrity and availability of the server OS. The update provides fixes for version SR UI 7.40, SP 017 & SR UI 7.31, SP 022.

SAP Security Notes, November 2020

Hot News note 2973735 patches a code injection vulnerability in SAP AS ABAP and S/4 HANA. The note introduces an authorization check for object S_DMIS to control the execution of a vulnerable function module by RFC. The function module is used for checking the syntax for a table selection query.  Attackers can abuse the function module to inject malicious ABAP code that could lead to the complete compromise of the affected system.

Note 2982840 addresses multiple critical vulnerabilities in SAP Data Services, including remote execution and denial of service.

Hot News notes 2985866 and 2890213 remove missing authentication checks in the LM-SERVICE within the Java stack of SAP Solution Manager.

Finally, note 2979062 deals with a privilege escalation vulnerability in the UDDI Server of SAP NetWeaver Application Server for Java. The vulnerability could be exploited to execute arbitrary OS commands and compromise the operating system.

SAP Security Notes, October 2020

Hot news note 2969828 patches a OS command injection vulnerability in CA Introscope Enterprise Manager (EM) installed in SAP Solution Manager and SAP Focused Run. EM can be used to monitor the performance of Java applications. The note includes a patch for EM 10.7 and 10.5 SP2 patch 2 to remove the vulnerability. Earlier versions need to be upgraded to version before applying the patch. The EM service can be stopped in systems if the patch can not be immediately applied. Stopping the service will not impact the Cybersecurity Extension for SAP Solution Manager since the service is not required by the extension.  

Note 2969457 removes a missing XML Validation in Compare Systems within SAP NetWeaver that can be exploited to read arbitrary OS files and provoke a denial of service.

Note 2972661 patches a high priority reflected cross site scripting vulnerability in the SAP NetWeaver Composite Application Framework.

Notes 2941315 and 2898077 contain important updates for a missing authentication check in SAP NetWeaver AS JAVA and information disclosure in SAP Business Objects Business Intelligence Platform, respectively.

SAP Security Notes, September 2020

Hot News note 2958563 patches a critical code injection vulnerability in SAP Business Warehouse. The vulnerability targets specific function modules to assume complete control of BW including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It impacts BW releases up to 7.40 running on SAP Adaptive Server Enterprise (ASE) 15.7 and 16.0. BW installations running on other database platforms are not impacted.

Note 2961991 patches SAP Marketing by blocking the ability of authenticated attackers to invoke certain functions in the vulnerable Mobile Channel Servlet. The fix will block unwanted URLs via web.xml and scan the payloads of /$batch requests. The workaround in note 2962970 can provide an interim fix if note 2961991 cannot be immediately implemented.

Note 2941667 includes updated correction instructions for an OS command injection vulnerability in NetWeaver AS ABAP. The note impacts the  batch input recorder report RSBDCREC when executed outside the context of transaction SHDB.

Notes 2902456 and 2912939 are also updated for a privilege escalation vulnerability in SAP Landscape Management and a Server Side Request Forgery vulnerability in AS ABAP, respectively.

SAP Security Notes, August 2020

Hot News note 2928635 patches a critical code execution vulnerability in SAP Knowledge Management (KM). KM supports the automatic execution of potentially malicious scripts in stored files without authentication. The note recommends disabling the option for Force Text Download to remove the vulnerability. Force Text Download is a parameter of the WebDAV Protocol. WebDAV includes HTTP extensions to support file management on remote web servers. Content management operations in KM are performed by methods that conform to the WebDAV protocol. Force Text Download is deactivated by default. This prevents the opening of files containing malicious scripts. The Malicious Script Filter can be used to encode executable scripts in files uploaded to KM repositories and therefore block the execution of the scripts. Encoded scripts can be decoded using the Malicious Script Handler. Note 2938162 removes a broken authentication vulnerability in KM that enables unauthenticated users to upload files to content repositories.

Note 2941667 introduces authorization checks for report RSBDCREC when executed directly without transaction SHDB. This could be exploited to inject malicious code in recordings or extensions. The note extends checks for authorization object S_BDC_MONI to the report and adds checks for authorization object S_DEVELOP for a central API.

Note 2941315 patches a missing authentication check in a web service that could be exploited to provoke a denial of service in SAP NetWeaver AS JAVA.  Note 2927956 mitigates a missing authentication check for the Unix Xvfb daemon required by SAP BusinessObjects Business Intelligence. The vulnerability could enable attackers to capture keystrokes and screen captures using the X server in SAP hosts.

SAP Security Notes, July 2020

Hot News Note 2934135 patches the critical RECON vulnerability in NetWeaver Application Server Java (AS Java). RECON targets a missing authentication flaw in the LM Configuration Wizard of AS Java to execute malicious code that creates administrative users in compromised systems. Attackers can exploit RECON to compromise not only AS Java systems but also connected systems.

Note 2934135 introduces authentication and authorization for the LM Configuration Wizard and therefore secures against RECON attacks. KBA 2948106 includes FAQs to support the implementation of the note. As a workaround, the application tc~lm~ctc~cul~startup_app can be disabled if the note cannot be applied. Procedures for disabling the LM Configuration Wizard are detailed in SAP Note 2939665.

Note 2932473 removes a high-risk information disclosure vulnerability in the XMLToolkit of AS Java. The vulnerability could be exploited to read arbitrary files including files containing sensitive system configuration data.

Note 2734580 includes updated instructions for patching another information disclosure vulnerability impacting AS ABAP.  Note 2091403 should be implemented as a prerequisite for 2734580.