Category: Advisories

Note 3102769 was rereleased in August with updated solution information. The workaround detailed in the original note has been moved to the new note 3221696. The workaround provides steps for deactivating the SAP IKS component to address a high priority cross-site scripting (XSS) vulnerability in SAP Knowledge Warehouse.

Note 3150454 was also updated to enforce authorization checks in lower SP levels of SAP NetWeaver Application Server ABAP when RFC destinations are modified using transaction SM59.

Note 3210823 addresses an information disclosure vulnerability in Open Document within SAP BusinessObjects Business Intelligence Platform (BOBJ). Open Document is a web application that processes incoming URL requests for documents and other objects. The vulnerability can be exploited by unauthenticated attackers to retrieve sensitive information over the network. The impacted versions of BOBJ are 4.2 SP009 and 4.3 SP002 – SP003.

Notes 3213524 and 3213507 patch lower-priority information disclosure vulnerabilities in the commentary and monitoring databases of SAP BOBJ that could lead to the exposure of sensitive system data. The vulnerabilities require network access for successful exploitation.

There were several high priority security notes released in July for multiple vulnerabilities in SAP Business One. Note 3212997 patches an information disclosure issue that arises during the integration between Business One and SAP HANA. The vulnerability can be exploited to access privileged account credentials through the HANA cockpit’s data volume. Customers can switch from XPath passwords to explicit passwords in the FTP Adapter as temporary workaround.

Note 3157613 deals with a missing authentication check in the License Service API of Business One that could enable attackers to provoke a denial of service.

Note 3191012 resolves a code injection vulnerability in Business One that enables threat actors to upload and execute malicious executable files, such as exe, bat, and other script or binary file types. The note blocks the upload of file types included in the Microsoft block list.

Notes 3221288 and 3213141 patch vulnerabilities that can lead to the leakage of token information and access credentials for SAP BusinessObjects Business Intelligence and SAP Landscape Management, respectively.

Note 3158375 patches a high priority vulnerability in the SAProuter that can be exploited by attackers to execute administration commands from remote clients. The SAProuter is designed to accept administration commands from local clients only. However, this restriction can be bypassed in installations with specific entries in the saprouttab, the root permission table for the SAProuter. Entries that use the P or S prefix with a wildcard in target host and either a wildcard in the target port or the default port 3299 are vulnerable to the exploit. The use of wildcards in target host and target port for P and S entries is not recommended by SAP. Refer to SAP note 1895350 for details. The use of specific hostnames or IP addresses for target hosts will provide a temporary fix for the vulnerability. However, SAProuter versions 7.22 and 7.53 should be patched to patch levels 1119 and 1011, respectively, to permanently address the vulnerability. Kernel patches are also included in note 3158375.

Note 3197005 deals with a privilege escalation vulnerability in SAP PowerDesigner Proxy. The vulnerability can enable attackers with non-administrative privileges to work around a system’s root disk access restrictions to write or create a program file on the system disk root path, which could then be executed with the elevated privileges of the application during application start up or reboot.

Note 2726124 patches missing authorization checks in multiple components of SAP Automotive Solutions that can also lead users to escalate privileges.

Note 3147498 removes an access control gap in SAP NetWeaver Application Server Java to restrict access to remote objects such as adminadapter services.

Hot news note 3165801 patches a critical missing authorization check in SAP NetWeaver Application Server ABAP. The notes introduces an authorization check for object S_OC_SEND to prevent the transmission of the contents of ABAP list output from the System Menu via e-mail. The note impacts all versions of SAP_BASIS from 700 to 788.

Notes 2756188 and 2754555 patch Cross-Site Request Forgery (CSRF) vulnerabilities in the front end and back end of Bank Payments of the Fiori UI for Financial Accounting.

Note 2998510 provides a fix for an information disclosure vulnerability in the Central Management Server (CMS) of SAP BusinessObjects that could lead to the leakage of authentication credentials in Sysmon event logs.

Central note 3170990 was updated with note 3189409 to include a patch for the critical Sping4Shell Remote Code Execution vulnerability in SAP Business One Cloud.

The central note 3170990 consolidates security notes for the critical Spring4Shell vulnerability. Spring4Shell is addressed by CVE-2022-22965. This is related to a remote code execution vulnerability in the open-source Java Spring Framework. Successful exploitation requires Apache Tomcat for serving applications built as a WAR file. Notes 3189428, 3187290, 3189429, 3189635 and 3171258 patch Sping4Shell in multiple SAP Solutions including SAP HANA Extended Application Services, PowerDesigner Web and SAP Commerce.

Hot news notes 3022622 and 3158613 fix a code injection vulnerability in SAP Manufacturing Integration and Intelligence. The vulnerability can be exploited by threat actors to escalate privileges and execute OS commands. The notes block the saving of Java Server Pages (JSP) through the SSCE (Self Service Composition Environment).

Note 3111311 provides solutions for a high priority Denial of Service vulnerability in the Web Dispatcher and Internet Communication Manager. The vulnerability is caused by a program error related to parameter icm/HTTP/file_access. The parameter defines static file access for URL prefixes and the target directory for static files.

Note 3123396 patches SAP NetWeaver Application Server ABAP and the Web Dispatcher for CVE-2022-22536. This is related to the ICMAD (Internet Communication Manager Advanced Desync) vulnerability that was the subject of alerts from multiple threat intelligence agencies including CISA and CERT-EU.

ICMAD is a memory corruption vulnerability that can be exploited through a single HTTP request to fully compromise SAP systems, remotely and without authentication. This impacts AS ABAP and the Web Dispatcher when they are accessed through an HTTP gateway. For AS ABAP, the gateway could be the Web Dispatcher. The vulnerability does not impact direct access to SAP application servers.  SAP Kernels and Web Dispatchers should be updated to the minimum patch levels detailed in the note. The workaround detailed in note 3137885 can be applied as a stop-gap measure if the patches cannot be implemented at short notice. For access through the Web Dispatcher, refer to 3137885 to ensure that Web Dispatcher installations meet the minimum patch level. To apply the workaround, the profile parameter wdisp/additional_conn_close should be set to TRUE. For more details, refer to note 3138881.

Note 3123427 patches ICMAD in AS Java. The workaround recommended in the note can be applied using the parameter setting icm/handle_http_pipeline_requests=FALSE if support for HTTP pipeline requests is not required.

The central note 3131047 for the critical remote code execution vulnerability in the Apache Log4J 2 component was updated with the addition of security note 3154684. The new note patches Log4Shell in the mobile solution SAP Work Manager.

The central note 3131047 was updated with the addition of security notes 3142773 and 3139893 for the critical remote code execution vulnerability in the Apache Log4J 2 component. The new notes patch Log4Shell in SAP Commerce and SAP Dynamic Authorization Management and include manual procedures to apply both patches and workarounds.

Note 3140940 patches a code injection vulnerability in SAP Solution Manager due to missing segregation of duties in Root Cause Analysis (RCA) Tools. RCA supports central diagnostics and monitoring for SAP systems. Users with admin privileges are able to browse files and execute code through connected Diagnostics Agents. The note references note 3145008 for downloading the latest version of LM_SERVICE that contains the fix. It also references note 3137764 for removing links to the vulnerable applications.

Note 3140587 addresses a high-risk SQL injection vulnerability in the Workplace Server of NetWeaver Application Server ABAP. Note 3123427 provides a fix for a HTTP Request Smuggling vulnerability in SAP NetWeaver Application Server Java.

Multiple Hot News notes were released in January as part of SAP’s continued efforts to patch solutions impacted by the critical Log4Shell vulnerability. This includes Process Orchestration (note 3130521), Data Intelligence (3130920) and Business One (3131740). The central note 3131047 consolidates patches for the remote code execution vulnerability in the vulnerable Apache Log4j 2 component.

Note 3112928 deals with reflected cross-site scripting and code injection vulnerabilities in S/4HANA. The solution implements checks for malicious file uploads or downloads using the SAP Virus Scan Interface (VSI). VSI provides an interface for third party anti-virus software to protect against the import of malicious code into SAP systems.

Note 3123196 was updated for a high priority OS code injection vulnerability in specific methods of a utility class in SAP NetWeaver Application Server ABAP. Malicious code can be injected using transaction SE24 (Class Builder) or SE80 (Object Navigator). Exploitation of the vulnerability requires permissions for authorization object S_DEVELOP with values CLAS and 16 for fields OBJTYPE and ACTVT, respectively. Therefore, restricting access to these permissions also mitigates the vulnerability.

The central security note 3131047 consolidates Log4Shell patches for SAP products. Log4JShell is regarded as one of the most dangerous security vulnerabilities in decades. It can be exploited remotely with minimal complexity and without authentication to execute arbitrary code that could lead to the complete compromise of vulnerable applications.

Log4Shell impacts Log4J, a widely installed open-source Java logging utility, developed and maintained by the Apache Software Foundation. Log4J versions 2.14.1 and lower support remote message lookup substitution using the Java Naming and Directory Interface (JNDI) Application Programming Interface (API). Message lookup substitutions are used modify the Log4J configuration with dynamic values. The default setting for the JNDI property in Log4J enables values to be retrieved from remote sources.

A zero-day Remote Code Execution (RCE) vulnerability impacting the message lookup feature via JNDI in Log4J was discovered and reported by security researchers to the Apache Foundation on November 24, 2021. The vulnerability was patched by Apache on December 6 and published in the National Vulnerability Database on December 12 as CVE-2021-44228, also known as Log4Shell. A POC for the vulnerability was published on GitHub.  CVE-2021-44228 has the maximum possible CVSS score of 10.0/10.0. The attack complexity is classified as low, requiring no privileges or user interaction.

Log4J is included in bundled in multiple SAP solutions. As of December 26, 2021, SAP had provided patches for products including SAP HANA XS Advanced (XSA) Runtime and XSA Cockpit, Process Orchestration, and Landscape Management. Patches were pending for multiple solutions including SAP Business One, Commerce, PowerDesigner, and Web IDE for HANA. Workarounds are provided for some of the unpatched solutions via Knowledge Based Articles (KBA).

Hot news note 3089831 was updated for a SQL Injection vulnerability in SAP NZDT Mapping Table Framework. SAP NZDT (Near Zero Downtime Technology) is a service that supports system conversion with minimal downtime. The vulnerability could enable attackers to access backend databases by executing malicious queries or inject code through vulnerable NZDT function modules. The automatic corrections applied through the note deactivate some of the affected function modules and deactivates the import parameter for other function modules. As a result, the SAP Test Data Migration Server will no longer be usable after applying the fix. A workaround is included in the note if the fix cannot be applied. This will block external calls to the relevant function modules using Unified Connectivity (UCON). However, the function modules may still be called by local users with sufficient privileges.

Hot news note 3099776 patches a missing authorization check in the ABAP Platform Kernel. The vulnerability could be exploited to escalate privileges and access connected systems through RFC or HTTP connections. The recommended SP Stack Kernels in the note should be installed to apply a TCODE check that addresses the vulnerability.

Note 2827086 provides corrections for multiple vulnerabilities affecting SAP Forecasting and Replenishment for Retail in SAP Supply Chain Management (SCM). This includes memory corruption and denial of service.

Note 2971638 removes hardcoded credentials for CA Introscope Enterprise Manager in SAP Solution Manager and SAP Focused Run. Manual steps are also included in the note for updating the credentials.

Note 3110328 applies search restrictions to resolve a missing authorization check in the B2B Accelerator of SAP Commerce that could lead to an escalation of privileges.