Layer Seven Security

SAP Security Notes, January 2019

Hot News Note 2696233 deals with multiple vulnerabilities in the SAP Cloud Connector. The Connector is an agent that connects on premise systems with applications operating on the SAP Cloud Platform.  The agent supports HTTP, RFC, JDBC/ODBC and other connections between on-premise and cloud installations using reverse invoke without requiring inbound ports to be opened in on-premise network firewalls. Therefore, the Connector is designed to support secure cloud and on-premise connectivity. Note 2696233 patches a missing authentication vulnerability in the SAP Cloud Connector with a CVSS score of 9.3/10. It also addresses a lower-risk code injection vulnerability that could lead to information disclosure or a denial of service in the Connector. Customers are advised to upgrade to SAP Cloud Connector 2.11.3 to remove the vulnerabilities.

Hot News Note 2727624 includes corrections for removing a critical information disclosure vulnerability in SAP Landscape Management.  Landscape Management supports system cloning, copying, refreshing and other system administration tasks. The vulnerability addressed by Note 2727624 could be exploited by attackers to steal user credentials. The note recommends deleting entries in log files and changing passwords for system users that may be disclosed in logs.

Other high priority notes include 2727623 which removes a missing authorization check in SAP BW/4HANA and Note 2724788 which tackles various vulnerabilities in the Adobe PDF Print Library.

SAP Security Notes, December 2018

Hot News Note 2711425 patches a critical Cross-Site Scripting (XSS) vulnerability in SAP Hybris Commerce storefronts. The vulnerability could be exploited by attackers to modify web content and compromise user-related  authentication data. It affects versions 6.2 through 6.7 and 18.08 of SAP Hybris Commerce, including all but the latest patch releases. The vulnerability carries a CVSS v3.0 base score of 9.3/10 and scores particularly high in terms of impact to confidentiality and integrity. The related exploit is relatively non-complex and does not require any privileges in the target system. In addition to applying the automated updates referenced in Note 2711425, manual steps may be required to remove the vulnerability in cases where custom HTTP headers are used for caching, SAP Hybris Commerce is positioned behind a HTTP reverse proxy or load balancer, or the system is used in conjunction with a content delivery network (CDN).

Note 2642680 deals with a high-risk XML External Entity (XXE) vulnerability in SAP NetWeaver Application Server Java (AS Java) caused by missing validation for  XML documents received from untrusted sources. The vulnerability could lead to the compromise of the SAP file system or enable attackers to provoke a denial of service.

Note 2658279 patches an insufficient authorization check impacting the AS Java keystore service.

Note 2698996 removes a missing authorization check in SAP Customizing Tools. The note introduces a check for object S_RFC_ADM to prevent an escalation of privileges.

SAP Security Notes, November 2018

Hot News Note 2622660 includes critical security updates for web browser controls delivered with SAP Business Client. The Client provides a unified environment for SAP applications including Fiori, SAP GUI, and Web Dynpro.  It supports browser controls from Internet Explorer (IE) and Chrome for displaying HTML content. Security corrections for the WebBrowser control of the .NET framework in IE are delivered directly by Microsoft. Unlike IE, the browser control for Chrome is embedded in SAP Business Client using the open source Chromium Embedded Framework (CEF). Security fixes are provided by the Chromium project and delivered by SAP through periodic Security Notes.  Note 2622660 was updated for multiple high-risk vulnerabilities addressed by Chromium release 70.0.3538.

Note 2681280 patches a critical remote code execution vulnerability in SAP HANA Streaming Analytics (HSA). The vulnerability impacts the open source Java-based Spring Framework library used by HSA. The note carries a CVSS score of 9.9/10.

Note 2701410 deals with a high-risk directory traversal vulnerability that could be exploited by attackers to access, modify or corrupt files on hosts supporting SAP Disclosure Management.

Note 2693083 removes transaction ZPTTNO_TIME from the standard role SAP_PS_RM_PRO_RECMANAGER. The transaction could be abused to escalate privileges in CRM Records and Case Management.

SAP Security Notes, October 2018

Hot News note 2654905 patches a high risk information disclosure vulnerability in the SAP BusinessObjects BI Suite. The execution of specific CMS queries on the Central Management Server could bypass authorization checks and lead to the leakage of sensitive data. The vulnerability scores 9.8/ 10 based on the Common Vulnerability Scoring System v3 (CVSS).  Patches for BI 4.1 SP 10-12 and 4.2 SP 4-6 referenced in the Note enable authorization checks for vulnerable CMS queries.

Note 2699726 provides corrections to remove a missing network isolation error in SAP’s Open Source project Gardener.  Gardener is an API server that provides Kubernetes clusters for several SAP products. SAP is responsible for security updates for Gardener instances and Gardener managed Kubernetes clusters at SAP. Note 2699726 applies only to Gardener stakeholders in the Open Source Community who operate their own Gardener installations. The Note recommends upgrading to Gardener release 0.12.4 or higher in order to prevent admins in shoot clusters from compromising seed clusters or other shoot clusters.

Note 2696962 provides instructions for dealing with a Denial of Service (DoS) vulnerability in the SQLite database engine of SAPFoundation. SQLite is embedded in the SAP Cloud Platform SDK for iOS 2.0 SP02 and 3.0.

Note 2674215 provides corrections for patching a stack overflow vulnerability that could be exploited by attackers to provoke a denial of service in SAP Plant Connectivity.

SAP Security Notes, September 2018

Note 2681207 patches a high-risk missing XML validation vulnerability in Extended Application Services (XS) in SAP HANA. The OData parser in HANA XS does not sufficiently validate XML input from users. This can lead to the processing of malicious code that could provoke a denial of service in the database server. The vulnerability can be exploited if applications using OData services are enabled on HANA XS. If authentication is not enforced for an enabled application using OData, an anonymous attacker can exploit the vulnerability. The attacker needs network access to the HTTP/HTTPs port of the SAP HANA database XS engine classic model. The vulnerability can be fixed by applying the software packages listed in note 2681207. Alternatively, you can limit network access to the XS classic server running in the tenant databases of a multitenant system. The default port range is 30040 – 30997. It is also recommended to enforce authentication for applications using OData services via HANA XS.

Note 2644279 deals with a similar high-risk missing XML validation vulnerability in a component of the BEx Web Java Runtime in Business Warehouse. The issue is specific to PDF ALV Export.

Note 2392860 removes transaction ZPTTNO_TIME from the standard roles SAP_PS_RM_PRO_ADMIN and SAP_PS_ RM_PRO_REVIEWER in SAP CRM Case Management. The transaction could be abused to escalate privileges.

Other high priority notes include note 2670284 which updates logging functions in Crystal Reports and Business One for HANA to prevent the disclosure of sensitive information, and note  2449974 which introduces authorization check V_VBKA_VKO for specific Sales Support APIs in ECC Sales and Distribution.

SAP Security Notes, August 2018

There were several high priority Security Notes released in August for vulnerabilities impacting multiple Business Intelligence applications. Note 2569748 patches an XML External Entity vulnerability in Crystal Reports for Enterprise. Note 2614229 deals with a memory corruption vulnerability in the BOBJ platform that can be triggered by a buffer overflow. Note 2644154 provides corrections for a SQL injection vulnerability in the BI Launchpad for Web Intelligence that could be exploited to read sensitive data.

A similar SQL injection vulnerability is addressed in the MaxDB database by note 2660005. The solution includes removing unnecessary privileges for DBM operators responsible for managing databases.

Notes 2655250 and 2155614 patch missing authorization checks in the MDM Catalog of Supplier Relationship Management (SRM) and components of ERP Sales and Distribution.  

Note 2201710 includes instructions for responding to Logjam and similar vulnerabilities in SAP products using OpenSSL. Logjam involves downgrading vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. Note 2201710 adds protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits.

SAP Security Notes, July 2018

Notes 2017041 and 2016974 patch high-risk information disclosure vulnerabilities in SAP Environment, Health & Safety Management (EHSM). The vulnerabilities could be exploited to leak sensitive information stored or processed by the transactional Fiori apps Inspect Safety Controls and Retrieve Safety Information. The apps support the performance and tracking of safety control inspections.

Note 2641674 provides corrections to support virus scanning for OData v2 connections in the SAP Gateway using the SAP Virus Scan Interface (VSI). This will protect against the insertion of untrusted files and malware.

Note 2597913 includes a kernel patch to remove a Denial of Service vulnerability in the SAP Gateway that could enable attackers to provoke resource exhaustion  by flooding specific services. The relatively low CVSS score for the note is misleading. Exploitation of the vulnerability requires network-level access only and does not require any privileges in the system. Furthermore, the impact in terms of system availability is high.

Note 2622434 removes passwords in route strings that are forwarded from one SAProuter to another. Route strings define permitted connections, users and services between hosts. The leakage of passwords could lead to targeted attacks against the SAProuter.

Finally, Note 2664767 removes the logging of sensitive data in logs for SAP Dynamic Authorization Management (DAM) by NextLabs. DAM supports attribte or policy-bsed control to manage user privileges.

SAP Security Notes, June 2018

Hot News Note 2622660 includes critical security updates for web browser controls delivered with SAP Business Client. The Client provides a unified environment for SAP applications including Fiori, SAP GUI, and Web Dynpro.  It supports browser controls from Internet Explorer (IE) and Chrome for displaying HTML content. Security corrections for the WebBrowser control of the .NET framework in IE are delivered directly by Microsoft. Unlike IE, the browser control for Chrome is embedded in SAP Business Client using the open source Chromium Embedded Framework (CEF). Security fixes are provided by the Chromium project and delivered by SAP through periodic Security Notes.  Note 2622660 was updated in June for corrections addressed by Chromium release 67.0.3396. The critical rating of the note is due to the fact that the highest CVSS rating of the security corrections bundled in the fixes is 9.8/10.

Note 2537150 was also re-released with updated support pack information. The Note includes corrections to automatically terminate active sessions for users whose passwords have been changed in SAP BusinessObjects.

Notes 2629535 and 2626762 patch high-risk vulnerabilities in open-source components bundled in SAP Internet Sales. The vulnerabilities could be exploited to provoke a denial of service or bypass authentication and authorization controls. SAP Internet Sales is often tightly integrated with back-end SAP systems for order fulfillment and processing.

Finally, there were several important notes released for SAP Solution Manager. Note 2546807 provides manual instructions for successfully connecting agents for Wily Introscope to managed systems. Introscope is included in Solution Manager to support diagnostics and monitoring.  Note 2574394 includes steps for authenticating and encrypting connections from Solution Manager to Diagnostics Agents using TLS. Instructions for securing connections from Diagnostics Agents to Solution Manager are available in Note 2593479.

SAP Security Notes, May 2018

SAP released an update for Hot News Note 2357141 which addresses a critical OS command injection vulnerability in the terminology export report program of  SAPterm (transaction STERM). STERM is used to search SAP-delivered terminology and create and maintain customer-specific terminology. TERM_EXCEL_EXPORT is a standard executable program that enables users to export terminology repositories to Excel. The program calls function modules that accept unfiltered user commands in expressions that are used to call systems. This could be abused by attackers perform arbitrary operating system commands using the elevated privileges of the <sid>adm user.  The impact of such an exploit could include compromise of the entire SAP file system in the effected host. This explains the high CVSS base score of 9.1 / 10 for Note 23557141. The Note rates high in terms of the impact to information confidentiality, integrity and availability. Systems with SAP_BASIS versions 7.31 – 7.66 should be patched to the relevant Support Package level listed in the Note.

There was also an important update for Note 2622660 which includes critical security updates for web browser controls delivered with SAP Business Client. The Client provides a unified environment for SAP applications including Fiori, SAP GUI, and Web Dynpro.  It supports browser controls from Internet Explorer (IE) and Chrome for displaying HTML content. Security corrections for the WebBrowser control of the .NET framework in IE are delivered directly by Microsoft.

Unlike IE, the browser control for Chrome is embedded in SAP Business Client using the open source Chromium Embedded Framework (CEF). Security fixes are provided by the Chromium project and delivered by SAP through periodic Security Notes.  Note 2622660 includes corrections addressed by Chromium releases 64 and 65. The critical rating of the note is due to the fact that the highest CVSS rating of the security corrections bundled in the fixes is 9.8/10.

Finally, Note 2537150 was re-released with updated support pack information. The Note includes corrections to automatically terminate active sessions for users whose  passwords have been changed in BusinessObjects.

SAP Security Notes, April 2018

Hot News Note 2622660 includes critical security updates for web browser controls delivered with SAP Business Client. The Client provides a unified environment for SAP applications including Fiori, SAP GUI, and Web Dynpro.  It supports browser controls from Internet Explorer (IE) and Chrome for displaying HTML content. Security corrections for the WebBrowser control of the .NET framework in IE are delivered directly by Microsoft. Unlike IE, the browser control for Chrome is embedded in SAP Business Client using the open source Chromium Embedded Framework (CEF). Security fixes are provided by the Chromium project and delivered by SAP through periodic Security Notes.  Note 2622660 includes corrections addressed by Chromium releases 64 and 65. The critical rating of the note is due to the fact that the highest CVSS rating of the security corrections bundled in the fixes is 9.8/10.

Note 2552318 provides an important update for Note 2376081 released in August 2017. The note deals with a high priority code injection vulnerability impacting iviews created in Visual Composer. Iviews are interactive, web-based applications in Java platforms. The corrections included in Notes 2552318 and 2376081 will support code injection checks for the entire input stream received from Visual Composer in the export to Excel mechanism. Note 2376081 should be implemented before 2552318.

Note 2537150 includes corrections to automatically terminate active sessions for user whose passwords have been changed in BusinessObjects.

Note 2587985 provides instructions for removing a Denial of Service (DOS) vulnerability in the Apache Http Server embedded in SAP Business One.

Finally, Note 2190621 provides a solution to log peer IP addresses instead of terminal IP addresses in the Security Audit Log, Peer or routed IP addresses are less vulnerable to manipulation than terminal IP addresses.