Layer Seven Security

SAP Security Notes, July 2023

Hot news note 3350297 for a critical OS command injection vulnerability in SAP ECC and S/4HANA was re-released with instructions for confirming the prerequisites for the note. The IS-OIL component must be enabled in order for the note to be applicable. The note includes instructions for checking whether the component and supporting switches are enabled in systems.

Notes 3340735 and 3233899 patch high-priority buffer overflow and HTTP request smuggling vulnerabilities in the SAP Web Dispatcher that could be exploited to leak information or trigger a denial of service.  The vulnerabilities affect only the HTTP/2 protocol. HTTP/1 is not affected. Standalone Web Dispatcher installations support HTTP/2 by default since version 7.73. Version 7.54 is only affected if parameter icm/HTTP/support_http2 is set to TRUE in the instance or DEFAULT profile. 7.45 is not affected because it does not support HTTP/2. Web Dispatcher installations that support HTTP/2 are only impacted if parameter icm/HTTP/support_http2 is explicitly set to TRUE.

Notes 3352058 and 3348145 deal with blind SSRF and header injection vulnerabilities impacting the Diagnostics Agent. The vulnerabilities can be addressed by upgrading the LM-SERVICE component in SAP Solution Manager. Note 2686969 includes instructions for upgrading the component to the required patch level.  

SAP Security Notes, June 2023

Notes 3324285 and 3326210 patch high priority vulnerabilities in SAP UI5. The former applies input validation to block the storage and reading of malicious scripts that could lead to cross-site scripting. The latter introduces additional restrictions to prevent the injection of untrusted CSS that can be exploited to perform clickjacking exploits. Note 3326210 includes a temporary workaround that involves removing the values of the “style” and “class” attributes in the html input of control sap.m.FormattedText and other controls.

Note 3102769 was updated for releases 7.31 and 7.40 of SAP Knowledge Warehouse (KW). The note resolves a high-priority cross-site scripting vulnerability in the Internet Knowledge Servlet (IKS) of KW. A workaround for the vulnerability is detailed in note 3221696. The IKS can be deactivated using the Config Tool. Alternatively, URL filters can be applied using the ICM or Web Dispatcher to block requests to the vulnerable component.

Notes 3319400, 2826092, 3331627 and 3318657 patch cross-site vulnerabilities in SAP BOBJ, CRM, Enterprise Portal, and the Design Time Repository of SAP NetWeaver, respectively.

SAP Security Notes, May 2023

Hot news note 3307833 patches a critical information disclosure vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) platform. The vulnerability can be exploited by authenticated threat actors with administrator privileges to compromise the login token of any logged-in BI user or server over the network. The login ticket can be used to access the platform with the credentials of the compromised user. The vulnerability impacts versions 4.2 and 4.3 of BOBJ.

Hot news note 3328495 addresses multiple vulnerabilities in SAP 3D Visual Enterprise License Manager. This includes code injection, broken authentication, and session hijacking. The vulnerabilities can be addressed by updating SAP 3D Visual Enterprise License Manager to version 15.0.1-sap2. A workaround is also included in the note as a temporary fix. The workaround will disable the vulnerable web interface for the solution.

Note 3326210 includes corrections to apply input validation for untrusted CSS in SAPUI5. Notes 3217303 and 3213507 patch high-risk information disclosure vulnerabilities in the CMC and Monitoring DB components of BOBJ, respectively.

Note 3301942 provides a fix to validate signatures of JSON Web Tokens in HTTP requests and remove a missing authentication vulnerability in SAP Digital Manufacturing.

SAP Security Notes, April 2023

Hot news note 3305369 patches missing authentication check and code injection vulnerabilities in the SAP Diagnostics Agent. The note removes the EventLogServiceCollector and OSCommand Bridge components from the Agent to address the vulnerability. The patch does not effect metric data collection for data collectors that use the Agent. However, it will disable metric testing.

Hot news note 3294595 addresses a critical directory traversal vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) that could be exploited to overwrite system files and trigger a denial of service, interrupting the availability of systems. Note 1512430 provides an alternative approach for removing the vulnerability. The note blocks report RSPOXDEV and RSPOXOMS from overwriting files in AS ABAP. The corrections require assigning a physical path to the logical path RSPO_FILE_LOCATION delivered with the note using transaction FILE.

Note 3298961 fixes an information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (BOBJ). Exploitation of the vulnerability could enable threat actors to discover the password of the BI user by accessing and decrypting the lcmbiar file. Password protection for the file can be applied as a workaround if the patch in the note cannot be applied.

Finally, note 3305907 addresses a high-priority directory traversal vulnerability that could enable attackers to upload and overwrite files in the BI Content Add-on for AS ABAP through a vulnerable report that does not apply sufficient authentication checks and file validation. The correction included in the note removes the ability to upload files through the vulnerable report.  

SAP Security Notes, March 2023

Hot news note 3273480 was updated in March for SP026 of NetWeaver Application Server Java (AS Java) 7.50. The note deals with a critical SQL injection vulnerability that can be exploited by unauthenticated attackers that attach to an open interface exposed through JNDI by User Defined Search (UDS) of AS Java. The fix included in the note applies authorization checks to mitigate the vulnerability. The authorizations are assigned to the roles SAP_XI_ADMINISTRATOR_J2EE, SAP_XI_CONFIGURATOR_J2EE, SAP_XI_DEVELOPER_J2EE and NWA_READONLY.

Note 3252433 patches a broken authentication vulnerability impacting the LockingService in AS Java. The note removes public access and applies the required authentication and authorization checks for the service.

Hot news notes 3245526 and 3283438 address high-risk vulnerabilities in SAP BusinessObjects Business Intelligence (BOBJ). Note 3245526 fixes a code injection vulnerability in the Central Management Console (CMC). The note removes the ‘Use Impersonation’ option from the CMC and introduces authorization checks for scheduling program objects. Note 3283438 fixes an OS command execution vulnerability in the Adaptive Job Server. Workarounds are detailed in the note including unchecking the options Run scripts/binaries and Run Java programs in the CMC, and disabling the rexecd service.

Notes 3294595 and 3302162 patch directory traversal vulnerabilities in NetWeaver Application Server ABAP (AS ABAP). The vulnerabilities can be exploited to overwrite system files and trigger a denial of service.

SAP Security Notes, February 2023

Hot news note 3273480 was updated in February for a critical vulnerability that could enable attackers to compromise installations of NetWeaver Application Server Java (AS Java) via an open JNDI interface exposed through User Defined Search (UDS). The updates include corrections for side effects caused by the original fix for the vulnerability that implemented authorization checks for affected public methods. Note 3301366 corrects side effects for alerting and monitoring after implementing note 3273480. Note 3284781 provides instructions to correct side effects observed for specific services used by Process Integration (PI).

Note 3285757 recommends upgrading the SAP Host Agent to the latest version 7.22 PL59 in order to patch a high priority privilege escalation vulnerability. Attackers can exploit the vulnerability to execute operating system commands using administrative privileges through webservice requests.

Note 3256787 includes a fix for an unrestricted file upload vulnerability in SAP BusinessObjects Business Intelligence (BOBJ). The note also includes instructions for a workaround that involves applying a whitelist for file format types using the property upload.file.allowed.formats in the global.properties file.

Other important notes include 3263135 and 3271091 for information disclosure and privilege escalation vulnerabilities in BOBJ and SAP Business Planning and Consolidation (BPC), respectively.

SAP Security Notes, January 2023

Hot news note 3089413 patches a critical capture-replay vulnerability that can lead to authentication bypass in SAP NetWeaver Application Server ABAP (AS ABAP). The vulnerability is caused by the failure to use unique hashes for system identification. Note 3089413 includes corrections for the SAP kernel and the SAP Basis component. The corrections must be applied in both trusting and trusted systems.

Hot news note 3268093 deals with a broken authentication vulnerability in SAP NetWeaver Application Server Java (AS Java). An unauthenticated attacker can attach to an open interface and exploit an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data. This could allow the attacker to gain full read access to user data, modify data and disrupt the availability of services within the system. The correction removes public access to basicadmin and adminadapter services and introduces authentication and authorization for the relevant objects. The required permissions are automatically assigned to the Administrator, NWA_SUPERADMIN, and NWA_READONLY roles by the corrections.

Note 3243924 patches a high-risk insecure deserialization of untrusted data vulnerability in SAP BusinessObjects Business Intelligence (BOBJ). Authenticated attackers with minimal privileges can intercept and modify serialized objects in the Central Management Console and BI LaunchPad of BOBJ. Note 3243924 restricts deserialization to specific internal classes. The note also includes instructions for a workaround that involves removing the vulnerable code in specific files.

Other important notes include 3262810 and 3275391 for code injection and SQL injection vulnerabilities in the Analysis Edition for OLAP in BOBJ and SAP Business Planning and Consolidation, respectively.

SAP Security Notes, December 2022

Hot news notes 3267780 and 3273480 patch critical broken authentication vulnerabilities in SAP NetWeaver Application Server Java (AS Java). Threat actors can exploit the vulnerabilities to attach to an open interface exposed through JNDI by the Messaging System and User Defined Search (UDS) of SAP NetWeaver AS Java. Once attached, they can make use of an open naming and directory API to access services and read and modify sensitive information, execute SQL commands, and perform a denial of service. There are no workarounds for the vulnerabilities. The notes apply access control for the interface. After the implementation of the correction, full access to the interface will require UME role SAP_XI_ADMINISTRATOR_J2EE. Read and write access will require roles SAP_XI_CONFIGURATOR_J2EE and SAP_XI_DEVELOPER_J2EE. Read-only access can be provided using role NWA_READONLY.

Note 3239475 deals with a critical Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability enables attackers with non-administrative privileges to upload/replace any file in the operating system of the Business Objects server, thereby taking full control of the system. Both the Central Management Console (CMC) and BI Launchpad (BILP) on BOBJ 4.2 and 4.3 are impacted.

Hot news note 3271523 patches a remote code execution vulnerability associated with Apache Commons Text in SAP Commerce, an open-source Java library that performs variable interpolation. Versions 1.5 – 1.9 of Apache Commons Text include interpolators that can be used to execute arbitrary code or connect with remote servers. The library should be updated to 1.10 to disable the vulnerable interpolators. Note 3271523 includes instructions for locating and updating the affected .jar files manually.

SAP Security Notes, November 2022

Hot news note 3243924 for CVE-2022-41203 patches a critical vulnerability related to insecure deserialization of untrusted data in the Central Management Console (CMC) and BI Launchpad of SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability impacts versions 4.2 and 4.3 of BOBJ and can be exploited by threat actors to bypass authentication, inject malicious code, or provoke a denial of service. As a workaround, customers can first backup and then delete the files in the following folders of the Tomcat directory:

webapps\BOE\WEB-INF\eclipse\plugins\webpath.AnalyticalReporting\web\jsp\Webi_DestinationFormat

webapps\BOE\WEB-INF\eclipse\plugins\webpath.AnalyticalReporting\web\jsp\Webi_Format

The workaround disables the selection of the format in the creation of a Publication or a Schedule. It will cause a HTTP 404 page in the Format area when trying to schedule a document. This impacts the CMC only. There is no impact on the BI Launchpad.

Note 3256571 for CVE-2022-41214 addresses multiple high-risk directory traversal vulnerabilities in NetWeaver Application Server ABAP (AS ABAP). The vulnerability is caused by insufficient path validation that enables attackers to access remote-enabled function modules to read and delete restricted files in AS ABAP.

Note 3249990 deals with denial of service vulnerabilities in SQlite bundled with SAPUI5 that can be triggered by array-bounds overflow.

SAP Security Notes, October 2022

Hot news note 3239152 patches a critical URL redirection vulnerability in SAP Commerce Cloud. The vulnerability can be exploited to manipulate URLs and redirect users to logon pages controlled by threat actors. User submissions served by attacker-controlled servers can be used to steal logon credentials and hijack accounts. Note 3239152 includes a fix for specific versions of SAP Commerce Cloud. Workarounds are also detailed in the note if the patches cannot be applied. This includes removing the OAuth extension and URL filtering. The latter can be implemented using website redirects in SAP Commerce. However, there are known side-effects with the workarounds. For example, the OAuth extension is required by SmartEdit Module, Assisted Service Module, and other extensions. OAuth may also be required for integrations.

Note 3242933 provides a fix for critical directory traversal vulnerability in SAP Manufacturing Execution that could lead to information disclosure. The effected plugins are Work Instruction Viewer (WI500) and Visual Test and Repair (MODEL_VIEWER).

Note 3229132 patches an information disclosure vulnerability in Program Objects within SAP BusinessObjects Business Intelligence Platform that could be exploited to compromise OS credentials. The credentials are exposed in clear-text to administrators.

Note 3232021 deals with a buffer overflow vulnerability in SAP SQL Anywhere and SAP IQ that can be used to trigger a denial of service in database servers.

Notes 3245929 and 3245928 patch multiple high-risk vulnerabilities in SAP Visual Enterprise Viewer.