Layer Seven Security

SAP Security Notes, March 2022

Note 3123396 patches SAP NetWeaver Application Server ABAP and the Web Dispatcher for CVE-2022-22536. This is related to the ICMAD (Internet Communication Manager Advanced Desync) vulnerability that was the subject of alerts from multiple threat intelligence agencies including CISA and CERT-EU.

ICMAD is a memory corruption vulnerability that can be exploited through a single HTTP request to fully compromise SAP systems, remotely and without authentication. This impacts AS ABAP and the Web Dispatcher when they are accessed through an HTTP gateway. For AS ABAP, the gateway could be the Web Dispatcher. The vulnerability does not impact direct access to SAP application servers.  SAP Kernels and Web Dispatchers should be updated to the minimum patch levels detailed in the note. The workaround detailed in note 3137885 can be applied as a stop-gap measure if the patches cannot be implemented at short notice. For access through the Web Dispatcher, refer to 3137885 to ensure that Web Dispatcher installations meet the minimum patch level. To apply the workaround, the profile parameter wdisp/additional_conn_close should be set to TRUE. For more details, refer to note 3138881.

Note 3123427 patches ICMAD in AS Java. The workaround recommended in the note can be applied using the parameter setting icm/handle_http_pipeline_requests=FALSE if support for HTTP pipeline requests is not required.

The central note 3131047 for the critical remote code execution vulnerability in the Apache Log4J 2 component was updated with the addition of security note 3154684. The new note patches Log4Shell in the mobile solution SAP Work Manager.

SAP Security Notes, February 2022

The central note 3131047 was updated with the addition of security notes 3142773 and 3139893 for the critical remote code execution vulnerability in the Apache Log4J 2 component. The new notes patch Log4Shell in SAP Commerce and SAP Dynamic Authorization Management and include manual procedures to apply both patches and workarounds.

Note 3140940 patches a code injection vulnerability in SAP Solution Manager due to missing segregation of duties in Root Cause Analysis (RCA) Tools. RCA supports central diagnostics and monitoring for SAP systems. Users with admin privileges are able to browse files and execute code through connected Diagnostics Agents. The note references note 3145008 for downloading the latest version of LM_SERVICE that contains the fix. It also references note 3137764 for removing links to the vulnerable applications.

Note 3140587 addresses a high-risk SQL injection vulnerability in the Workplace Server of NetWeaver Application Server ABAP. Note 3123427 provides a fix for a HTTP Request Smuggling vulnerability in SAP NetWeaver Application Server Java.

SAP Security Notes, January 2022

Multiple Hot News notes were released in January as part of SAP’s continued efforts to patch solutions impacted by the critical Log4Shell vulnerability. This includes Process Orchestration (note 3130521), Data Intelligence (3130920) and Business One (3131740). The central note 3131047 consolidates patches for the remote code execution vulnerability in the vulnerable Apache Log4j 2 component.

Note 3112928 deals with reflected cross-site scripting and code injection vulnerabilities in S/4HANA. The solution implements checks for malicious file uploads or downloads using the SAP Virus Scan Interface (VSI). VSI provides an interface for third party anti-virus software to protect against the import of malicious code into SAP systems.

Note 3123196 was updated for a high priority OS code injection vulnerability in specific methods of a utility class in SAP NetWeaver Application Server ABAP. Malicious code can be injected using transaction SE24 (Class Builder) or SE80 (Object Navigator). Exploitation of the vulnerability requires permissions for authorization object S_DEVELOP with values CLAS and 16 for fields OBJTYPE and ACTVT, respectively. Therefore, restricting access to these permissions also mitigates the vulnerability.


SAP Security Notes, December 2021

The central security note 3131047 consolidates Log4Shell patches for SAP products. Log4JShell is regarded as one of the most dangerous security vulnerabilities in decades. It can be exploited remotely with minimal complexity and without authentication to execute arbitrary code that could lead to the complete compromise of vulnerable applications.

Log4Shell impacts Log4J, a widely installed open-source Java logging utility, developed and maintained by the Apache Software Foundation. Log4J versions 2.14.1 and lower support remote message lookup substitution using the Java Naming and Directory Interface (JNDI) Application Programming Interface (API). Message lookup substitutions are used modify the Log4J configuration with dynamic values. The default setting for the JNDI property in Log4J enables values to be retrieved from remote sources.

A zero-day Remote Code Execution (RCE) vulnerability impacting the message lookup feature via JNDI in Log4J was discovered and reported by security researchers to the Apache Foundation on November 24, 2021. The vulnerability was patched by Apache on December 6 and published in the National Vulnerability Database on December 12 as CVE-2021-44228, also known as Log4Shell. A POC for the vulnerability was published on GitHub.  CVE-2021-44228 has the maximum possible CVSS score of 10.0/10.0. The attack complexity is classified as low, requiring no privileges or user interaction.

Log4J is included in bundled in multiple SAP solutions. As of December 26, 2021, SAP had provided patches for products including SAP HANA XS Advanced (XSA) Runtime and XSA Cockpit, Process Orchestration, and Landscape Management. Patches were pending for multiple solutions including SAP Business One, Commerce, PowerDesigner, and Web IDE for HANA. Workarounds are provided for some of the unpatched solutions via Knowledge Based Articles (KBA).


SAP Security Notes, November 2021

Hot news note 3089831 was updated for a SQL Injection vulnerability in SAP NZDT Mapping Table Framework. SAP NZDT (Near Zero Downtime Technology) is a service that supports system conversion with minimal downtime. The vulnerability could enable attackers to access backend databases by executing malicious queries or inject code through vulnerable NZDT function modules. The automatic corrections applied through the note deactivate some of the affected function modules and deactivates the import parameter for other function modules. As a result, the SAP Test Data Migration Server will no longer be usable after applying the fix. A workaround is included in the note if the fix cannot be applied. This will block external calls to the relevant function modules using Unified Connectivity (UCON). However, the function modules may still be called by local users with sufficient privileges.

Hot news note 3099776 patches a missing authorization check in the ABAP Platform Kernel. The vulnerability could be exploited to escalate privileges and access connected systems through RFC or HTTP connections. The recommended SP Stack Kernels in the note should be installed to apply a TCODE check that addresses the vulnerability.

Note 2827086 provides corrections for multiple vulnerabilities affecting SAP Forecasting and Replenishment for Retail in SAP Supply Chain Management (SCM). This includes memory corruption and denial of service.

Note 2971638 removes hardcoded credentials for CA Introscope Enterprise Manager in SAP Solution Manager and SAP Focused Run. Manual steps are also included in the note for updating the credentials.

Note 3110328 applies search restrictions to resolve a missing authorization check in the B2B Accelerator of SAP Commerce that could lead to an escalation of privileges.

SAP Security Notes, October 2021

Hot News note 3097887 patches a broken authorization check in SAP NetWeaver AS ABAP and ABAP Platform. The vulnerability could be exploited by attackers with developer or administrator rights to transfer malicious code to vulnerable systems. This can be performed via a LEAVE PROGRAM statement in a specific report within the software logistics system. Note 3097887 deletes the relevant report. There is no workaround. The vulnerability impacts all versions of SAP Basis from 700 to 756.

Hot News note 3101406 deals with an XML External Entity injection vulnerability in SAP Environmental Compliance. The vulnerability impacts the XMLBeans open source software bundled in Environmental Compliance to support data import functionality. The note updates some software components to secure versions and replaces other components with closed-source software. This highlights the risk of using open source software in commercial software.

Other important notes include 2900326 which removes a missing authorization check in Payment Engine and note 3077635 which deals with a Denial of Service vulnerability in mobile clients for SAP SuccessFactors.

SAP Security Notes, September 2021

Hot news note 3078609 patches a missing authorization check in the JMS Connector Service of SAP NetWeaver Application Server for Java. The vulnerability could be exploited to execute arbitrary code in the system remotely and without authentication. Hence, the note carries the maximum CVSS score of 10/10. A fix is included in the note but a temporary workaround is outlined in note 3093977.

Note 3081888 deals with a code Injection vulnerability for XMLForms in SAP NetWeaver Knowledge Management. The note includes a patch for the XMLToolkit parser to prevent the execution of malicious XSL stylesheet files containing scripts with OS-level commands.

Note 3073891 patches multiple OS command injection and reflected Cross-Site Scripting (XSS) vulnerabilities in SAP Contact Center. The vulnerabilities are caused by improper encoding of user input.  

Note 3089831 introduces input validation to protect the remote execution of vulnerable function modules that could be exploited to gain access to backend databases. The note includes instructions for blocking remote calls to the impacted function modules using Unified Connectivity (UCON) as a workaround.

Note 3084487 removes a vulnerable component of SAP NetWeaver Visual Composer that could be exploited by attackers to upload malicious files that run operating system commands with the privileges of the Java Server process. The commands could be used to read and modify data or provoke a denial of service.

SAP Security Notes, August 2021

Hot news note 3072955 patches a Server Side Request Forgery (SSRF) vulnerability in the Component Build Service of SAP NetWeaver Development Infrastructure (NWDI). The Component Build Service includes a vulnerable servlet that could be targeted to perform proxy attacks. The vulnerability has a CVSS score of 9.9/10 for NWDI installations exposed to the internet. The patches included in the note remove the vulnerable servlet from productive code.

Hot news note 3078312 deals with a blind SQL injection vulnerability in DMIS Mobile Plug-In and SAP S/4HANA. The notes adds an ASSERT statement after the authorization check for function module IUUC_RECON_RC_COUNT_TABLE_BIG that enforces import parameter IT_WHERE_CLAUSE to be empty. If import parameter IT_WHERE_CLAUSE is not empty, the execution of the function module will fail with a short dump. The deactivation of parameter IT_WHERE_CLAUSE is not expected to impact products released to customers, because the remote-enabled function module IUUC_RECON_RC_COUNT_TABLE_BIG is only used by SAP.

Note 3071984 includes an updated workaround for a critical unrestricted file upload vulnerability in SAP Business One. The vulnerability could be exploited to upload any malicious files including scripts without file format validation.

Note 3057378 patches a high risk missing authentication in SAP Web Dispatcher when using X.509 client certificates. The vulnerability also impacts SAP HANA and SAP HANA XS installations containing embedded Web Dispatchers.

SAP Security Notes, July 2021

Hot News Note 3007182 contains updated corrections for a broken authentication vulnerability in the SAP NetWeaver AS ABAP and ABAP Platform. The corrections improve the ability to distinguish between internal and external RFC and HTTP connections. This protects against external threat actors using credentials for internal communications.  Note 3007182 includes kernel patches for multiple kernel and Basis versions.

Note 3059446 patches a high priority missing authorization check in NetWeaver AS Java. The Administration Workset in Guided Procedures does not perform necessary authorization checks for an authenticated user, resulting in an escalation of privileges. The affected functions have now been changed and enforced to properly check access restrictions. A possible workaround is to disable the GP Administration Workset using filters in the configuration template. In NWA->Java System Properties, choose the configuration template and in the Filters tab add the filter to disable the caf~eu~gp~ui~admin application.

Note 3056652 includes patches for the J2EE Server Core in NetWeaver AS Java to apply input validation for HTTP requests before storing monitoring data. This will protect against malicious HTTP requests with manipulated headers that could lead to the exhaustion of system resources and provoke a denial of service.

SAP Security Notes, June 2021

Hot News note 3040210 patches a critical remote code execution vulnerability in Source Rules of SAP Commerce. The vulnerability affects both on-premise installations of SAP Commerce and SAP Commerce Cloud in the Public Cloud. SAP Commerce Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution. Note 3040210 addresses this vulnerability by adding validation and output encoding when processing Promotion Rules and other Source Rules. Customers that do not wish to install the patch can apply a workaround by adjusting the permissions that grant create and change privileges to the SourceRule type. The goal of the workaround is to ensure that only highly trusted employees have such privileges.

Notes 3021197, 3020209 and 302010 deal with multiple high-risk memory corruption vulnerabilities in SAP NetWeaver ABAP. The multiples could be exploited to perform a denial of service using specially crafted requests targeted at the Dispatcher process, SAP Gateway, and SAP Enqueue Server.

Note 3053066 removes a missing XML validation vulnerability in SAP NetWeaver AS Java that could enable attackers to read files in the file system or crash SAP services using specially crafted XML files. The note enables blocking of external entities via the XML parser.