Category: Advisories

The central security note 3131047 consolidates Log4Shell patches for SAP products. Log4JShell is regarded as one of the most dangerous security vulnerabilities in decades. It can be exploited remotely with minimal complexity and without authentication to execute arbitrary code that could lead to the complete compromise of vulnerable applications.

Log4Shell impacts Log4J, a widely installed open-source Java logging utility, developed and maintained by the Apache Software Foundation. Log4J versions 2.14.1 and lower support remote message lookup substitution using the Java Naming and Directory Interface (JNDI) Application Programming Interface (API). Message lookup substitutions are used modify the Log4J configuration with dynamic values. The default setting for the JNDI property in Log4J enables values to be retrieved from remote sources.

A zero-day Remote Code Execution (RCE) vulnerability impacting the message lookup feature via JNDI in Log4J was discovered and reported by security researchers to the Apache Foundation on November 24, 2021. The vulnerability was patched by Apache on December 6 and published in the National Vulnerability Database on December 12 as CVE-2021-44228, also known as Log4Shell. A POC for the vulnerability was published on GitHub.  CVE-2021-44228 has the maximum possible CVSS score of 10.0/10.0. The attack complexity is classified as low, requiring no privileges or user interaction.

Log4J is included in bundled in multiple SAP solutions. As of December 26, 2021, SAP had provided patches for products including SAP HANA XS Advanced (XSA) Runtime and XSA Cockpit, Process Orchestration, and Landscape Management. Patches were pending for multiple solutions including SAP Business One, Commerce, PowerDesigner, and Web IDE for HANA. Workarounds are provided for some of the unpatched solutions via Knowledge Based Articles (KBA).

Hot news note 3089831 was updated for a SQL Injection vulnerability in SAP NZDT Mapping Table Framework. SAP NZDT (Near Zero Downtime Technology) is a service that supports system conversion with minimal downtime. The vulnerability could enable attackers to access backend databases by executing malicious queries or inject code through vulnerable NZDT function modules. The automatic corrections applied through the note deactivate some of the affected function modules and deactivates the import parameter for other function modules. As a result, the SAP Test Data Migration Server will no longer be usable after applying the fix. A workaround is included in the note if the fix cannot be applied. This will block external calls to the relevant function modules using Unified Connectivity (UCON). However, the function modules may still be called by local users with sufficient privileges.

Hot news note 3099776 patches a missing authorization check in the ABAP Platform Kernel. The vulnerability could be exploited to escalate privileges and access connected systems through RFC or HTTP connections. The recommended SP Stack Kernels in the note should be installed to apply a TCODE check that addresses the vulnerability.

Note 2827086 provides corrections for multiple vulnerabilities affecting SAP Forecasting and Replenishment for Retail in SAP Supply Chain Management (SCM). This includes memory corruption and denial of service.

Note 2971638 removes hardcoded credentials for CA Introscope Enterprise Manager in SAP Solution Manager and SAP Focused Run. Manual steps are also included in the note for updating the credentials.

Note 3110328 applies search restrictions to resolve a missing authorization check in the B2B Accelerator of SAP Commerce that could lead to an escalation of privileges.

Hot News note 3097887 patches a broken authorization check in SAP NetWeaver AS ABAP and ABAP Platform. The vulnerability could be exploited by attackers with developer or administrator rights to transfer malicious code to vulnerable systems. This can be performed via a LEAVE PROGRAM statement in a specific report within the software logistics system. Note 3097887 deletes the relevant report. There is no workaround. The vulnerability impacts all versions of SAP Basis from 700 to 756.

Hot News note 3101406 deals with an XML External Entity injection vulnerability in SAP Environmental Compliance. The vulnerability impacts the XMLBeans open source software bundled in Environmental Compliance to support data import functionality. The note updates some software components to secure versions and replaces other components with closed-source software. This highlights the risk of using open source software in commercial software.

Other important notes include 2900326 which removes a missing authorization check in Payment Engine and note 3077635 which deals with a Denial of Service vulnerability in mobile clients for SAP SuccessFactors.

Hot news note 3078609 patches a missing authorization check in the JMS Connector Service of SAP NetWeaver Application Server for Java. The vulnerability could be exploited to execute arbitrary code in the system remotely and without authentication. Hence, the note carries the maximum CVSS score of 10/10. A fix is included in the note but a temporary workaround is outlined in note 3093977.

Note 3081888 deals with a code Injection vulnerability for XMLForms in SAP NetWeaver Knowledge Management. The note includes a patch for the XMLToolkit parser to prevent the execution of malicious XSL stylesheet files containing scripts with OS-level commands.

Note 3073891 patches multiple OS command injection and reflected Cross-Site Scripting (XSS) vulnerabilities in SAP Contact Center. The vulnerabilities are caused by improper encoding of user input.  

Note 3089831 introduces input validation to protect the remote execution of vulnerable function modules that could be exploited to gain access to backend databases. The note includes instructions for blocking remote calls to the impacted function modules using Unified Connectivity (UCON) as a workaround.

Note 3084487 removes a vulnerable component of SAP NetWeaver Visual Composer that could be exploited by attackers to upload malicious files that run operating system commands with the privileges of the Java Server process. The commands could be used to read and modify data or provoke a denial of service.

Hot news note 3072955 patches a Server Side Request Forgery (SSRF) vulnerability in the Component Build Service of SAP NetWeaver Development Infrastructure (NWDI). The Component Build Service includes a vulnerable servlet that could be targeted to perform proxy attacks. The vulnerability has a CVSS score of 9.9/10 for NWDI installations exposed to the internet. The patches included in the note remove the vulnerable servlet from productive code.

Hot news note 3078312 deals with a blind SQL injection vulnerability in DMIS Mobile Plug-In and SAP S/4HANA. The notes adds an ASSERT statement after the authorization check for function module IUUC_RECON_RC_COUNT_TABLE_BIG that enforces import parameter IT_WHERE_CLAUSE to be empty. If import parameter IT_WHERE_CLAUSE is not empty, the execution of the function module will fail with a short dump. The deactivation of parameter IT_WHERE_CLAUSE is not expected to impact products released to customers, because the remote-enabled function module IUUC_RECON_RC_COUNT_TABLE_BIG is only used by SAP.

Note 3071984 includes an updated workaround for a critical unrestricted file upload vulnerability in SAP Business One. The vulnerability could be exploited to upload any malicious files including scripts without file format validation.

Note 3057378 patches a high risk missing authentication in SAP Web Dispatcher when using X.509 client certificates. The vulnerability also impacts SAP HANA and SAP HANA XS installations containing embedded Web Dispatchers.

Hot News Note 3007182 contains updated corrections for a broken authentication vulnerability in the SAP NetWeaver AS ABAP and ABAP Platform. The corrections improve the ability to distinguish between internal and external RFC and HTTP connections. This protects against external threat actors using credentials for internal communications.  Note 3007182 includes kernel patches for multiple kernel and Basis versions.

Note 3059446 patches a high priority missing authorization check in NetWeaver AS Java. The Administration Workset in Guided Procedures does not perform necessary authorization checks for an authenticated user, resulting in an escalation of privileges. The affected functions have now been changed and enforced to properly check access restrictions. A possible workaround is to disable the GP Administration Workset using filters in the configuration template. In NWA->Java System Properties, choose the configuration template and in the Filters tab add the filter to disable the caf~eu~gp~ui~admin application.

Note 3056652 includes patches for the J2EE Server Core in NetWeaver AS Java to apply input validation for HTTP requests before storing monitoring data. This will protect against malicious HTTP requests with manipulated headers that could lead to the exhaustion of system resources and provoke a denial of service.

Hot News note 3040210 patches a critical remote code execution vulnerability in Source Rules of SAP Commerce. The vulnerability affects both on-premise installations of SAP Commerce and SAP Commerce Cloud in the Public Cloud. SAP Commerce Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution. Note 3040210 addresses this vulnerability by adding validation and output encoding when processing Promotion Rules and other Source Rules. Customers that do not wish to install the patch can apply a workaround by adjusting the permissions that grant create and change privileges to the SourceRule type. The goal of the workaround is to ensure that only highly trusted employees have such privileges.

Notes 3021197, 3020209 and 302010 deal with multiple high-risk memory corruption vulnerabilities in SAP NetWeaver ABAP. The multiples could be exploited to perform a denial of service using specially crafted requests targeted at the Dispatcher process, SAP Gateway, and SAP Enqueue Server.

Note 3053066 removes a missing XML validation vulnerability in SAP NetWeaver AS Java that could enable attackers to read files in the file system or crash SAP services using specially crafted XML files. The note enables blocking of external entities via the XML parser.

Note 3046610 patches a high priority code injection vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP). Program RDDPUTJR may be executed by attackers to inject malicious code.  The note replaces the code of the report with an exit statement. The program can be deleted by the support packages included in the note.  Access to SA38 and SE38 can be restricted as a workaround.

Notes 3049755 and 3049661 deal with multiple vulnerabilities in SAP Business One. This includes code injection, OS command injection, and information disclosure.

Notes 3012021 and 2745860 patch XML injection, information disclosure and unrestricted file upload vulnerabilities the Integration Builder Framework of SAP Process Integration.

Hot news note 2999854 was updated in April for a critical code injection vulnerability in SAP Business Warehouse and SAP BW/4HANA. BW and BW/4HANA allow a low privileged attacker to inject malicious code using a remote enabled function module over the network. Due to a lack of input validation, users granted RFC access to execute the function module can inject malicious ABAP code. The code is saved persistently in a report in the ABAP repository. The report can then be executed to inject the code, leading to the loss of sensitive data, modification of critical data, or denial of service. Note 2999854 introduces input validation for the effected functions to prevent code injection.

Hot news note 3040210 patches a remote code injection vulnerability in Source Rules of SAP Commerce. SAP Commerce Backoffice allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application. SAP Commerce installations that do not include any extensions from the Rule Engine module are not affected. Note 3040210 addresses this vulnerability by adding validation and output encoding when processing Promotion Rules and other Source Rules.

Note 3022422 includes an updated FAQ for a critical missing authorization check in the MigrationService of SAP NetWeaver Application Server Java (AS Java). The vulnerability could be exploited by attackers to grant administrative privileges by accessing specific configuration objects. The solution included in the note requires a system restart. Note 3030298 includes a temporary workaround if a restart is not possible.

Note 3001824 patches an information disclosure vulnerability in AS Java. Attackers can invoke telnet commands to access NTLM hashes of privileged users. Possible workarounds for the vulnerability include disabling outgoing NTLM traffic by group policy, blocking outgoing SMB requests via appropriate firewall rules, and, for Linux systems, disabling the Samba protocol on all the hosts in a cluster.

Hot news note 3022622 patches a critical code injection vulnerability in SAP Manufacturing Integration and Intelligence (MII). SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment). Attackers can target this feature to inject malicious JSP code that include OS commands. The code and commands are executed by MII when dashboards are opened by users. The solution applied via note 3022622 blocks the saving of files as JSP through SSCE. There is no workaround for the vulnerability.

Hot news note 3022422 removes a missing authorization check in the MigrationService of the SAP NetWeaver Application Server Java (AS Java). This could provide unauthorized access to configuration objects including objects that grant administrative privileges. The solution requires a system restart. The workaround in note 3030298 can be applied if a system restart is not possible.

Note 3017378 addresses a high priority authentication bypass vulnerability in SAP HANA installations using external authentication via LDAP directory services. SAP HANA systems and users configured for LDAP are only vulnerable if the connected LDAP directory server is enabled for unauthenticated binds. Some directory servers can be configured to offer an unauthenticated bind via LDAP. In these cases, the SAP HANA database’s handling of LDAP authentication can be misused. An attacker can gain access to an SAP HANA database system without proper authentication through users enabled for LDAP-based authentication.