Layer Seven Security

SAP Security Notes, January 2024

Hot news note 3412456 deals with a critical privilege escalation vulnerability impacting the development platforms SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA. Applications in the node.js JavaScript runtime environment are vulnerable to CVE-2023-49583. Applications developed using @sap/xssec library versions earlier than 3.6.0 and @sap/approuter versions earlier than 14.4.2 are impacted. node.js application dependencies should be upgraded with the latest versions of the libraries @sap/approuter and @sap/xssec.

Hot news note 3413475 deals with another privilege escalation vulnerability. This impacts SAP Edge Integration Cell used to design, deploy and manage APIs with SAP Integration Suite. Edge Integration Cell should be upgraded to version 8.9.13 to mitigate the vulnerability. There is no available workaround.

Note 3389917 includes corrections for a high-priority denial of service vulnerability in the Internet Communication Manager (ICM) of SAP NetWeaver Application Server ABAP and SAP Web Dispatcher. The DOS can be triggered by threat actors through a high volume of HTTP/2 requests. Support for the HTTP/2 protocol can be disabled in effected versions of the ICM and Web Dispatcher by the setting parameter icm/HTTP/support_http2 to FALSE. NetWeaver Application Server Java is not impacted since it does not support HTTP/2.

Note 341186 patches a code injection vulnerability in the File Adapter within SAP Application Interface Framework that enables privileged users to execute OS commands using a vulnerable function module.

Note 3407617 details manual steps for correcting a missing authorization check in SAP LT Replication Server running on SAP S/4HANA 1809 to 2023. The steps involve restricting the permissions of the user for LT Replication Server background jobs.

SAP Security Notes, December 2023

Hot news notes 3350297 and 3399691 patch a critical OS command injection vulnerability in SAP S/4HANA and ECC. The notes are only applicable for installations with active IS-OIL software components. You can use transaction SFW_BROWSER to check the status of the OIB_QCI and OI0_COMMON_2 switches in BUSINESS_FUNCTION_BASIS_COM and COMMODITY_MGMT_&_BULK_LOGISTIC. IS-OIL is active if both switches are on. The notes are not relevant if only the OI0_COMMON_2 switch is on. The corrections in the notes will remove the Test Selected Routines option in report ROIB_QCI_CALL_TEST and block direct execution of Function Module OIB_QCI_SERVER.

Note 3411067 corrects multiple high-risk vulnerabilities in security integration libraries and programming infrastructure in the SAP Business Technology Platform (BTP) that could be exploited to escalate privileges. The note applies to all customers with applications developed on SAP BTP. The libraries are used to perform authentication and authorization checks calling SAP BTP Cloud Foundry Authorization and Trust Management Service (XSUAA) and SAP Cloud Identity Services – Identity Authentication (IAS). Customers should update the relevant integration libraries and programming infrastructure specified in the note to the recommended versions.

Note 3385711 provides a server-side fix in SAP NetWeaver AS ABAP for an information disclosure vulnerability that can be exploited in the SAP GUI clients for Windows and Java. The solution enables an authentication check to address the vulnerability.

Notes 3394567 and 3382353 deal with access control and cross-site scripting vulnerabilities in SAP Commerce Cloud and SAP BusinessObjects Business Intelligence, respectively.

SAP Security Notes, November 2023

Hot News note 3355658 patches a critical missing authentication check vulnerability in SAP Business One. The vulnerability has a CVSS Base Score of 9.6/10 with a high impact to confidentiality, integrity and availability. SAP Business One allows read and write-access to SMB shared folders to anonymous users. The impacted components are the Crystal Reports (CR) shared folder, Traditional Mobile app (attachment path), RSP (log folder logic), Job Service and BAS (file upload folder). The correction in the note modifies SMB shared folder permissions to only grant read and write access to authenticated and authorized users.

Note 2494184 was updated for a Cross-Site Request Forgery (CSRF) vulnerability impacting multiple SAP Sybase solutions including ASE, Event Stream Processor IQ, Replication Server, and SQL Anywhere.

Note 3362849 addresses an information disclosure vulnerability impacting the Internet Communication Manager (ICM) in SAP NetWeaver Application Server ABAP. The required kernel patches to correct the vulnerability are specified in the note.

Note 3366410 patches an information disclosure vulnerability in SAP NetWeaver Application Server Java that allows attackers to brute force the Java Logon application to discover legitimate user IDs. The vulnerability impacts version 7.50 of the J2EE Engine Server Core.

SAP Security Notes, October 2023

Hot news note 3340576 patches a critical missing authorization check in the SAP Common Cryptographic Library (CommonCryptoLib) that could enable attackers to escalate privileges. CommonCryptoLib is installed in multiple SAP products including SAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premise, as well as SAP HANA Database, SAP Web Dispatcher, and SAP Host Agent. The installation of CommonCryptoLib 8.5.50 or higher in impacted products is recommended to address the vulnerability. This can be performed by upgrading the relevant software components to the recommended versions detailed in the note.

Note 3333426 was updated for a Server-Side Request Forgery (SSRF) in the GRMG Heartbeat application of SAP NetWeaver AS Java. The vulnerability could lead to information disclosure that could be used to perform further attacks against AS Java. The update impacts support packs 25 and 26 for the software component LM-CORE.

Notes 3324732 and 3371873 address a log injection vulnerability in the Log Viewer of AS Java. The support package patches specified in the note implement encoding and validation for user input to address the vulnerability in the impacted components.

Notes 3372991 and 3357154 patch Cross-Site Scripting (XSS) and missing XML validation vulnerabilities in SAP BusinessObjects and SAP PowerDesigner Client, respectively.

SAP Security Notes, September 2023

Hot news notes 3245526 and 3320355 patch critical code injection and information disclosure vulnerabilities in SAP BusinessObjects Intelligence Platform (BOBJ). Note 3245526 was re-released in September with updated support package and patch level details. The note patches a command injection vulnerability that can be exploited to escalate privileges in the platform. The vulnerability impacts the Enterprise component in BOBJ versions 4.2 and 4.3.

Note 3320355 removes sensitive information in responses from Promotion Management in BOBJ to clients in order to prevent information disclosure that could lead to the complete compromise of the application. Attackers require access to the promotion job folder for exploitation of the vulnerability. A temporary workaround can be applied by removing rights to the folder from users that do not require access.

Note 3370490 addresses a high-priority cross-site scripting vulnerability in the BOBJ Web Intelligence HTML interface. Due to insufficient file type validation, the Web Intelligence HTML interface allows a report creator to upload files from the local system into a report over the network. When uploading an image file, an authenticated attacker could intercept the request, modify the content type and the extension to read and modify sensitive data. The solution included in note 3370490 patches the vulnerability by blocking unauthorized file types.

Note 3327896 removes a high-risk buffer overflow vulnerability in the SAP Common Crypto Library that could be exploited to trigger a denial of service. A manipulated data package with a corrupted SNC NAME ASN.1 structure can lead to a parser error and crash the application. Customers should upgrade to CommonCryptoLib to 8.5.49 or higher.

SAP Security Notes, August 2023

Hot news note 3341460 patches multiple critical vulnerabilities in the data modelling and management solution SAP PowerDesigner. This includes an access control vulnerability for CVE-2023-37483 that has a CVSS score of 9.8/10. The vulnerability can be exploited by attackers to execute arbitrary queries against back-end databases via proxies. It also includes an information disclosure vulnerability that can enable threat actors to access password hashes in client memory. SAP PowerDesigner Client and Proxy should be upgraded to version 16.7 SP06 PL04 or 16.7 SP07 to patch the vulnerabilities. The patches include fixes for proxy side authentication and authorization, and logging of attempted access control violations.

SAP PowerDesigner is also impacted by a code injection vulnerability addressed by note 3341599. SAP SQL Anywhere bundled with some versions of PowerDesigner allows an attacker with local access to take control of the application by loading malicious libraries that can be executed by PowerDesigner. The note recommends upgrading to SP07 PL01 that includes a patched version of SQL Anywhere that does not load custom unicode extension DLL by default.

Note 3344295 addresses a high-risk authentication bypass vulnerability in the SAP Message Server.  The vulnerability can be addressed by applying the kernel patches specified in the note. However, the related exploits can be mitigated by setting the profile parameter system/secure_communication to ON, protecting the internal port of the Message Server, and setting the trace level to a value lower than 2.

Notes 3317710 and 3312047 patch binary hijack and denial of service vulnerabilities in SAP BusinessObjects Business Intelligence (BOBJ).

Note 3346500 removes the ability for users to authenticate with an empty passphrase in SAP Commerce Cloud by changing the default value of the configuration property user.password.acceptEmpty from true to false.

SAP Security Notes, July 2023

Hot news note 3350297 for a critical OS command injection vulnerability in SAP ECC and S/4HANA was re-released with instructions for confirming the prerequisites for the note. The IS-OIL component must be enabled in order for the note to be applicable. The note includes instructions for checking whether the component and supporting switches are enabled in systems.

Notes 3340735 and 3233899 patch high-priority buffer overflow and HTTP request smuggling vulnerabilities in the SAP Web Dispatcher that could be exploited to leak information or trigger a denial of service.  The vulnerabilities affect only the HTTP/2 protocol. HTTP/1 is not affected. Standalone Web Dispatcher installations support HTTP/2 by default since version 7.73. Version 7.54 is only affected if parameter icm/HTTP/support_http2 is set to TRUE in the instance or DEFAULT profile. 7.45 is not affected because it does not support HTTP/2. Web Dispatcher installations that support HTTP/2 are only impacted if parameter icm/HTTP/support_http2 is explicitly set to TRUE.

Notes 3352058 and 3348145 deal with blind SSRF and header injection vulnerabilities impacting the Diagnostics Agent. The vulnerabilities can be addressed by upgrading the LM-SERVICE component in SAP Solution Manager. Note 2686969 includes instructions for upgrading the component to the required patch level.  

SAP Security Notes, June 2023

Notes 3324285 and 3326210 patch high priority vulnerabilities in SAP UI5. The former applies input validation to block the storage and reading of malicious scripts that could lead to cross-site scripting. The latter introduces additional restrictions to prevent the injection of untrusted CSS that can be exploited to perform clickjacking exploits. Note 3326210 includes a temporary workaround that involves removing the values of the “style” and “class” attributes in the html input of control sap.m.FormattedText and other controls.

Note 3102769 was updated for releases 7.31 and 7.40 of SAP Knowledge Warehouse (KW). The note resolves a high-priority cross-site scripting vulnerability in the Internet Knowledge Servlet (IKS) of KW. A workaround for the vulnerability is detailed in note 3221696. The IKS can be deactivated using the Config Tool. Alternatively, URL filters can be applied using the ICM or Web Dispatcher to block requests to the vulnerable component.

Notes 3319400, 2826092, 3331627 and 3318657 patch cross-site vulnerabilities in SAP BOBJ, CRM, Enterprise Portal, and the Design Time Repository of SAP NetWeaver, respectively.

SAP Security Notes, May 2023

Hot news note 3307833 patches a critical information disclosure vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) platform. The vulnerability can be exploited by authenticated threat actors with administrator privileges to compromise the login token of any logged-in BI user or server over the network. The login ticket can be used to access the platform with the credentials of the compromised user. The vulnerability impacts versions 4.2 and 4.3 of BOBJ.

Hot news note 3328495 addresses multiple vulnerabilities in SAP 3D Visual Enterprise License Manager. This includes code injection, broken authentication, and session hijacking. The vulnerabilities can be addressed by updating SAP 3D Visual Enterprise License Manager to version 15.0.1-sap2. A workaround is also included in the note as a temporary fix. The workaround will disable the vulnerable web interface for the solution.

Note 3326210 includes corrections to apply input validation for untrusted CSS in SAPUI5. Notes 3217303 and 3213507 patch high-risk information disclosure vulnerabilities in the CMC and Monitoring DB components of BOBJ, respectively.

Note 3301942 provides a fix to validate signatures of JSON Web Tokens in HTTP requests and remove a missing authentication vulnerability in SAP Digital Manufacturing.

SAP Security Notes, April 2023

Hot news note 3305369 patches missing authentication check and code injection vulnerabilities in the SAP Diagnostics Agent. The note removes the EventLogServiceCollector and OSCommand Bridge components from the Agent to address the vulnerability. The patch does not effect metric data collection for data collectors that use the Agent. However, it will disable metric testing.

Hot news note 3294595 addresses a critical directory traversal vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) that could be exploited to overwrite system files and trigger a denial of service, interrupting the availability of systems. Note 1512430 provides an alternative approach for removing the vulnerability. The note blocks report RSPOXDEV and RSPOXOMS from overwriting files in AS ABAP. The corrections require assigning a physical path to the logical path RSPO_FILE_LOCATION delivered with the note using transaction FILE.

Note 3298961 fixes an information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (BOBJ). Exploitation of the vulnerability could enable threat actors to discover the password of the BI user by accessing and decrypting the lcmbiar file. Password protection for the file can be applied as a workaround if the patch in the note cannot be applied.

Finally, note 3305907 addresses a high-priority directory traversal vulnerability that could enable attackers to upload and overwrite files in the BI Content Add-on for AS ABAP through a vulnerable report that does not apply sufficient authentication checks and file validation. The correction included in the note removes the ability to upload files through the vulnerable report.