Category: Advisories

Hot News note 2845377 patches a missing authentication check in the Diagnostics Agent. The Agent is a component of the Solution Manager landscape. It commonly connects to the Java server in Solution Manager through the J2EE Message Server HTTP port. This is recommended by SAP. However, it can also connect to Solution Manager using a direct P4 connection. P4 is a proprietary SAP protocol based on Remote Method Invocation (RMI) and Common Object Request Broker Architecture (CORBA). Direct P4 connections between Solution Manager and Diagnostics Agents are not recommended by SAP for most scenarios.

The patch delivered in note 2845377 closes the P4 port and therefore prevents the ability to connect to the service. Leaving the port open could enable attackers to connect to the Agent and execute commands using the permissions of the <SID>adm user. It could also enable attackers to shut down the agent. This could interrupt monitoring in Solution Manager. However, the impact on security monitoring would be minimal since the Diagnostics Agent supports monitoring for AS Java and SAProuter log files only. Availability monitoring is performed using the SAP Host Agent. The Diagnostics Agent is used primarily for performance monitoring.

Hot News note 2890213 patches a missing authentication check in User-Experience Monitoring (UXMon). UXMon executes and analyzes the results of client-side scripts to monitor availability and performance metrics in endpoints. The note enables user authentication for the EemAdmin administration service.

Note 2806198 provides corrections for a critical directory traversal vulnerability in the SAP NetWeaver Universal Description Discovery and Integration (UDDI) Server. The UDDI Server is a Services Registry containing definitions for enterprise services and metadata references. It also provides information related to web service consumers and providers including physical systems.

Note 2841053 patches a high risk Denial of Service (DOS) Vulnerability in the SAP Host Agent. Username/password-based authentication requests for the SAP Host Agent are delegated to operating systems or LDAP, Active Directory and other authentication platforms. Operating systems and authentication platforms often include mechanisms to limit parallel logon requests in order to protect against brute force attacks. This could lead to delayed responses to logon requests. Note 2841053 recommends blocking access from untrusted networks to the Host Agent ports 1128 and 1129. Alternatively, access to the Host Agent can be bound to specific IP addresses or hostnames defined in the value for profile parameter service/hostname or using an access control list specified in the host_profile of the agent. Another option is to disable username/password-based authentication and only allow certificate-based authentication using the value disabled for the host profile parameter saphostagent/authentication_method.

Notes 2878030 and 2877968 deal with missing input validation vulnerabilities in SAP Landscape Management. Attackers with admin privileges could exploit the vulnerabilities to execute malicious commands with root privileges in the SAP Host Agent through Landscape Management. The options for SAP Landscape Management Internal Operation Check and LVMIntOpOld should be enabled before applying the corrections in the support package referenced in the notes. RuntimeInternalOperationValidator should be executed after the corrections are applied to activate the fixes in all hosts.

Note 2822074 patches a missing authorization check in the Business Object Repository (BOR) of SAP NetWeaver Application Server ABAP. The note introduces the switchable authorization check objects S_BOR_RFC and S_BOR_PRX to supplement the generic S_RFC authorization. The new objects should be activated using transaction SACF to secure remote access to BOR. Note 2844646 is a prerequisite for note 2822074 and therefore should be implemented in advance. The report SWO_RFC_AUTH_CHECK_STATE can be executed after the note is applied to check the activation of the checks.

Note 2142551 is re-released with updated correction instructions for implementing whitelists to protect against clickjacking attacks in AS ABAP. Standard protective measures against clickjacking, including the X-Frame-Options HTTP response header, are not suitable for common NetWeaver integration scenarios. Therefore, SAP provides a whitelist-based framework for NetWeaver technologies. The framework and its implementation are described in SAP Note 2319727.

Note 2848498 provides a kernel patch to remove a Denial of service (DOS) vulnerability in the Internet Communication Manager (ICM). Attackers can exploit the vulnerability to crash the ICM by sending specially crafted packets to the IIOP or P4 service that lead to a buffer overflow. The corrections in note 2848498 will support the detection and prevention of the buffer overflow.

Note 2871877 patches multiple high priority vulnerabilities in Maintenance, Repair, and Overhaul (MRO) Workbenches in SAP Enterprise Asset Management (EAM). This includes missing authorizations checks for authenticated users that could lead to an escalation of privileges, and directory traversal caused by insufficient path validation. The latter vulnerability could enable attackers to read, overwrite, delete, or corrupt files in effected servers. Corrections are packaged in a transport included in the Note.

Note 2734675 provides automated and manual corrections for missing authorization checks in SAP Cash Management. The corrections introduce checks for vulnerable function modules including BAPI_FCLM_BAM_AMD_BNKANT and BAPI_HOUSE_BANK_REPLICATE. The function modules support replication of Bank Account Management (BAM) master data between SAP S/4HANA Finance systems.

Finally, Note 2730227 removes missing authorization checks in the historical data processing component of SAP Central Payments introduced in Note 2651431. SAP Central Payments is part of SAP Central Finance and supports centralized payments and clearing activities in central systems instead of source systems.

Hot News Note 2839864 updates Note 2808158 for a high risk OS Command Injection vulnerability in the SAP Diagnostics Agent. The vulnerability exists within the OS Command Plugin of the Agent, accessible through transaction GPA_ADMIN and the OS Command Console. Note 2839864 provides a patch for the LM_SERVICE for Support Pack levels 6-9 of the Agent. For earlier versions, the commands.xml file must be updated with a new version. It is recommended to apply the setting ‘param=”false”‘ to block attackers from injecting commands into the file.

Note 2814007 includes Support Package patches for a missing XML Validation vulnerability in the HTML interface of Web Intelligence (WebI). WebI is a component of the SAP BusinessObjects Business Intelligence Platform. Successful exploitation of the vulnerability could lead attackers to read arbitrary files retrieval from servers or provoke a denial-of-service.

Note 2393937 delivers switchable authorization checks for remote-enabled function modules in SAP Internet Pricing and Configurator (IPC). Switchable authorization checks supplement checks performed using authorization object S_RFC. They are activated with transaction SACF.

Hot News Note 2828682 patches a vulnerability in SAP Landscape Management Enterprise that could lead to the disclosure of critical information. Although the notes carries a CVSS score of 9.1/10, the vulnerability addressed by the note can only be executed under specific, uncommon conditions. In addition to implementing SAP Landscape Management 3.0 SP12 Patch 02, the corrections in the note include manual instructions for removing confidential information from insecure locations such as logs and archives, and sensitive data exported from XML files.

Note 2826015 patches a critical missing authentication check in the AS2 Adapter of the B2B Add-On for SAP NetWeaver Process Integration. The Note provides support package patches for AS2 Adapter 1.0 and 2.0. SAP also recommends confirming the property named default.security.provider for the application named com.sap.aii.adapter.as2.app is set to its default value IAIK.

Note 2792430 addresses a high risk binary planting vulnerability in SAP SQL Anywhere, SAP IQ and SAP Dynamic Tiering. The platforms use a file search algorithm that can result in the inadvertent access of files located in directories outside of the paths specified by users. The successful exploitation of binary planting vulnerabilities can lead to information disclosure, file corruption or deletion, privilege elevation and DLL hijacking.

Hot News Note 2798336 patches a critical code injection vulnerability in NetWeaver Application Server for Java (AS Java). A program error in the Web Container of AS Java could enable attackers to bypass input validation and execute dynamic content such as malicious code. The note includes updates for the J2EE Engine and API components.

Note 2823733 includes an important update for Hot News Note 2808158. The note provides greater coverage for possible attack scenarios targeting an OS Command Injection vulnerability in the SAP Diagnostics Agent.

Note 2817491 addresses high priority denial of service and information disclosure vulnerabilities in SAP HANA Extended Application Services (Advanced Model). Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model) to overload the server or enumerate open internal network ports. The vulnerabilities have been fixed with SAP HANA Extended Application Services (Advanced model) version 1.0.118.

Hot News Note 2800779 patches a remote code execution vulnerability in the SAP NetWeaver UDDI Server. The vulnerability carries a CVSS score of 9.9/10 and could be exploited to take complete control of the Services Registry, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. The NetWeaver UDDI Server is an XML-based registry for Web Services.

Note 2786035 patches another critical remote code execution vulnerability in SAP Commerce Cloud (previously SAP Hybris Commerce). The Mediaconversion and Virtualjdbc extensions in SAP Commerce Cloud could execute malicious code injected by attackers or authenticated users. Note that some of the Mediaconversion Conversion Command parameters may not work after the implementation of the recommended patch until they are added to a whitelist.

Note 2813811 deals with a dangerous Server-Side Request Forgery (SSRF) vulnerability in the Administrator System Overview of SAP NetWeaver Application Server for Java (AS Java). The vulnerability could enable attackers to scan internal networks, perform Remote File Inclusion attacks, retrieve server files including password files, bypass firewalls, and force vulnerable servers to execute malicious requests. Refer to SAP KBA 2577844 to resolve known side-effects of the corrections in Note 2813811.

Hot News Note 2808158 patches a critical code injection vulnerability in the SAP Diagnostics Agent. The Agent is required to monitor operating systems and discover the database cluster topology from SAP Solution Manager. It is not required for monitoring the security of SAP systems with Solution Manager. Security-relevant data is collected or monitored primarily through RFC connections maintained between Solution Manager and managed systems.

The vulnerability impacts the OS Command Plugin in transaction GPA_ADMIN. The transaction is used to create and maintain guided procedures. Note 2808158 provides a patch for the LM_SERVICE in SP levels 05-09 of Solution Manager 7.2.

Note 2774489 addresses a high priority OS command injection vulnerability in SAP Process Integration (PI). ABAP Tests Modules of PI could enable attackers to execute privileged OS commands. The relevant support packages listed in the note should be applied to remove the vulnerable source code in the modules.

Note 2748699 provides instructions for securing the credentials of the standard user SM_EXTERN_WS in SAP Solution Manager. SM_EXTERN_WS is used by CA Introscope Enterprise Manager (EM) to collect monitoring metrics from mainly non-ABAP components in SAP landscapes. The metrics are collected via the Introscope Push web service. The credentials for SM_EXTERN_WS including the automatically generated password are stored in a file that is referenced with property dpcpush.credentials.file in file <EM_install_dir>/sap/<SolMan_SID>.e2emai.properties. The credentials in the file are insufficiently protected against attackers. However, dialog logon with SM_EXTERN_WS is not possible since the user is a system user type. Also, SM_EXTERN_WS does not have administrative privileges.

Note 2748699 recommends deploying the LM-SERVICE software component and patching the Management Module for Enterprise Manager. Also, it includes instructions for enabling encryption to protect the password file.

Switchable authorization checks were introduced by notes 2524203, 2527346 and 2496977 to supplement checks performed using authorization object S_RFC for critical Remote-enabled Function Modules (RFMs) in components of SAP ERP. This includes RFMs in Accounts Receivable and Payable, Materials Management, and Sales and Distribution.