Category: Advisories

Hot News Note 2622660 includes critical security updates for web browser controls delivered with SAP Business Client. The Client provides a unified environment for SAP applications including Fiori, SAP GUI, and Web Dynpro.  It supports browser controls from Internet Explorer (IE) and Chrome for displaying HTML content. Security corrections for the WebBrowser control of the .NET framework in IE are delivered directly by Microsoft. Unlike IE, the browser control for Chrome is embedded in SAP Business Client using the open source Chromium Embedded Framework (CEF). Security fixes are provided by the Chromium project and delivered by SAP through periodic Security Notes.  Note 2622660 was updated in June for corrections addressed by Chromium release 67.0.3396. The critical rating of the note is due to the fact that the highest CVSS rating of the security corrections bundled in the fixes is 9.8/10.

Note 2537150 was also re-released with updated support pack information. The Note includes corrections to automatically terminate active sessions for users whose passwords have been changed in SAP BusinessObjects.

Notes 2629535 and 2626762 patch high-risk vulnerabilities in open-source components bundled in SAP Internet Sales. The vulnerabilities could be exploited to provoke a denial of service or bypass authentication and authorization controls. SAP Internet Sales is often tightly integrated with back-end SAP systems for order fulfillment and processing.

Finally, there were several important notes released for SAP Solution Manager. Note 2546807 provides manual instructions for successfully connecting agents for Wily Introscope to managed systems. Introscope is included in Solution Manager to support diagnostics and monitoring.  Note 2574394 includes steps for authenticating and encrypting connections from Solution Manager to Diagnostics Agents using TLS. Instructions for securing connections from Diagnostics Agents to Solution Manager are available in Note 2593479.

SAP released an update for Hot News Note 2357141 which addresses a critical OS command injection vulnerability in the terminology export report program of  SAPterm (transaction STERM). STERM is used to search SAP-delivered terminology and create and maintain customer-specific terminology. TERM_EXCEL_EXPORT is a standard executable program that enables users to export terminology repositories to Excel. The program calls function modules that accept unfiltered user commands in expressions that are used to call systems. This could be abused by attackers perform arbitrary operating system commands using the elevated privileges of the <sid>adm user.  The impact of such an exploit could include compromise of the entire SAP file system in the effected host. This explains the high CVSS base score of 9.1 / 10 for Note 23557141. The Note rates high in terms of the impact to information confidentiality, integrity and availability. Systems with SAP_BASIS versions 7.31 – 7.66 should be patched to the relevant Support Package level listed in the Note.

There was also an important update for Note 2622660 which includes critical security updates for web browser controls delivered with SAP Business Client. The Client provides a unified environment for SAP applications including Fiori, SAP GUI, and Web Dynpro.  It supports browser controls from Internet Explorer (IE) and Chrome for displaying HTML content. Security corrections for the WebBrowser control of the .NET framework in IE are delivered directly by Microsoft.

Unlike IE, the browser control for Chrome is embedded in SAP Business Client using the open source Chromium Embedded Framework (CEF). Security fixes are provided by the Chromium project and delivered by SAP through periodic Security Notes.  Note 2622660 includes corrections addressed by Chromium releases 64 and 65. The critical rating of the note is due to the fact that the highest CVSS rating of the security corrections bundled in the fixes is 9.8/10.

Finally, Note 2537150 was re-released with updated support pack information. The Note includes corrections to automatically terminate active sessions for users whose  passwords have been changed in BusinessObjects.

Hot News Note 2622660 includes critical security updates for web browser controls delivered with SAP Business Client. The Client provides a unified environment for SAP applications including Fiori, SAP GUI, and Web Dynpro.  It supports browser controls from Internet Explorer (IE) and Chrome for displaying HTML content. Security corrections for the WebBrowser control of the .NET framework in IE are delivered directly by Microsoft. Unlike IE, the browser control for Chrome is embedded in SAP Business Client using the open source Chromium Embedded Framework (CEF). Security fixes are provided by the Chromium project and delivered by SAP through periodic Security Notes.  Note 2622660 includes corrections addressed by Chromium releases 64 and 65. The critical rating of the note is due to the fact that the highest CVSS rating of the security corrections bundled in the fixes is 9.8/10.

Note 2552318 provides an important update for Note 2376081 released in August 2017. The note deals with a high priority code injection vulnerability impacting iviews created in Visual Composer. Iviews are interactive, web-based applications in Java platforms. The corrections included in Notes 2552318 and 2376081 will support code injection checks for the entire input stream received from Visual Composer in the export to Excel mechanism. Note 2376081 should be implemented before 2552318.

Note 2537150 includes corrections to automatically terminate active sessions for user whose passwords have been changed in BusinessObjects.

Note 2587985 provides instructions for removing a Denial of Service (DOS) vulnerability in the Apache Http Server embedded in SAP Business One.

Finally, Note 2190621 provides a solution to log peer IP addresses instead of terminal IP addresses in the Security Audit Log, Peer or routed IP addresses are less vulnerable to manipulation than terminal IP addresses.

Note 2331141 addresses a high-risk SQL injection vulnerability in the FI Localization tables of S/4HANA. The corrections included in the support packages listed in the note will enable screening of user input for dangerous SQL statements. The formula expressions delivered in Note 2261750 are a prerequisite for user input validation checks delivered via the note.

Note 2604541 includes corrections in support packages for a dangerous denial of service and DDOS vulnerability in the Java OData Gateway. The vulnerability impacts vulnerable open-source Apache servlets that manage incoming OData requests. Refer to CVE-2017-12624 and CVE-2017-3156 for further details.

Notes 2596535 and 2587369 deal with information disclosure vulnerabilities in SAP Business Process Automation (BPA) by Redwood and SAP HANA 1.0 and 2.0. Both notes carry a CVSS score of 7.5 or higher and  could be exploited to leak sensitive system and user-related data. In the case of SAP HANA, user credentials may be stored in clear text in indexserver trace files. Attackers may be able to access systems using compromised credentials garnered from the files. This requires TRACE_ADMIN or CATALOG READ privileges. Access to these and other critical privileges in HANA systems should be monitored using SAP Solution Manager.

Note 2595262 includes corrections for a cross-site scripting vulnerability in the SAP CRM WebClient UI. The note has multiple prerequisite notes including collective note 2577883.

Finally, Note 2538829 includes updated libraries for open-source components in the SAP Internet Graphics Server (IGS) that are vulnerable to remote code execution attacks that could lead to memory corruption and provoke a denial of service.

Note 2589129 addresses multiple high-risk vulnerabilities in HANA Extended Services Advanced (XSA) Server. XSA provides a development and runtime platform for HANA applications. XSA delivers improved reliability and scalability over HANA XS by providing separate runtime environments for applications. Applications operate in trust zones known as spaces. Applications deployed to the same space can share common resources such as data storage, user authorizations, and passwords. Permissions to manage spaces including domains and resources are granted through controller roles.

Note 2589129 recommends using HANA XSA patch level 1.0.70 in order to remove several authentication and authorization bypass vulnerabilities listed in the Note. This includes flaws in specific controller roles that could enable users to retrieve sensitive information. It also includes vulnerabilities that could enable unauthenticated or unauthorized users to read the system configuration using SQL statements and retrieve passwords from log files.

Note 2525222 includes automated corrections and manual instructions for high priority vulnerabilities in the SAP Internet Graphics Server (IGS). The vulnerabilities are caused by unrestricted file uploads that could be exploited to provoke a denial of service, perform cross-site scripting or log injection attacks, and leak sensitive data.

Lastly, Note 2565622 includes corrections to remove a broken authentication vulnerability that could enable attackers to access privileged  functions or read and modify sensitive data in the SAP NetWeaver System Landscape Directory (SLD). The SLD supports landscape management and stores destination information used for system interfaces and the NetWeaver Development Infrastructure (NWDI).

Note 2580634 provides instructions for removing a malicious file insertion vulnerability in the Process Control and Risk Management applications of SAP Governance, Risk and Compliance (GRC). The vulnerability could be exploited to upload malicious scripts or other forms of malware to SAP servers. The note includes manual instructions for implementing package GRFN_DOCUMENT_ WT_CHECK of the BAdI GRFN_DOCUMENT. This will activate a positive whitelist in table GRFNDOCUMENTWT to control permitted file extensions and mime types.

Note 2408073 provides updated instructions for the handling of digitally signed notes in the Note Assistant. Note 2518518 should be implemented before Note 2408073 to install new objects  required to support Notes with digital signatures. The Notes will update the Note Assistant tool to verify digital signatures using the SAPCAR utility. SAPCAR must version 7.20, patch level 2 or higher.  The Note Assistant tool will process ZIP files containing Notes downloaded from the SAP Support Portal and log the results of digital signature checks. Notes that fail the digital signature check will be logged in the Application Log (transaction SLG1) and read by the Notes Assistant using the authorization object S_APPL_LOG. For further information, refer to 2537133 – FAQ – Digitally Signed SAP Notes and the Digital Signature User Guide referenced in Note 2408073. Note 2507934 provides instructions for adjusting role SAP_BPO_CONFIG in SAP Solution Manager 7.2. The instructions restrict authorizations for table maintenance in the role to BPO-relevant tables belonging to the authorizataion groups SS, LMDB, PIMA, SA, IWAD, and SC.

SAP issued an important update for Hot News Note 2371726 originally released in November 2016. The note addresses a code injection vulnerability in Text Conversion which enables SAP standard text to be replaced by industry specific text. Function module BRAN_DIR_CREATE in Text Conversion enables an authenticated development user to inject operating system commands and execute these from the SAP system via that function. Developer rights through the S_DEVELOP authorization object are required for the successful execution of the exploit. Nonetheless, the note carries a CVSS score of 9.10/ 10 and rates high in terms of impact to data confidentiality, integrity and availability. The note includes corrections for SAP Basis versions 700 – 751 which restrict the range of supported special characters and the directory created by function module BRAN_DIR_ CREATE.

Note 2486657 patches a high-risk directory traversal vulnerability in the API Engine of AS Java which arises from insufficient path validation performed by the Servlet API for resource requests. This could lead attackers to read the content of arbitrary files on servers and expose sensitive data to corruption or deletion. The Note includes instructions for updating versions 7.10 – 7.50 of AS Java to the latest patch level including the vulnerable components ENGINEAPI, J2EE ENGINE, J2EE ENGINE CORE and JEECOR.

Note 2476937 delivers a patch for a critical denial of service vulnerability in the SAP Standalone Enqueue Server which is used to support direct TCP connections between clients and servers that bypass dispatchers and message servers. Attackers can trigger resource exhaustion in the Server using specific requests.  The Note includes kernel patches for SAP Kernel versions 7.21 – 7.53.

Notes 2408073 includes updated instructions for manual activities required to prepare SAP systems to process digitally signed Notes. The note also includes sample files to test the security features once they are enabled.

Note 2357141 includes updated instructions for removing a critical OS command injection vulnerability in Report for Terminology Export. This is a component of the Basis area Terminology and Glossary (transaction STERM) used to maintain standard terminology for management reporting, financial controlling, product development, and other areas.  Report for Terminology Export does not sufficiently validate user input that is used to perform operating commands through the command variable in system calls. The vulnerability could be exploited to perform arbitrary OS commands using the privileges of the underlying service. This could compromise the SAP file system.

SAP updated the priority of Notes 2531241 and 2520772 from High to Hot News based on revised CVSS scores. The Notes were originally released in September and provide corrections for patching SAP Landscape Management (LVM) to prevent the storage of sensitive information including administrative passwords in plaintext within logs that can be read in database tables. The patches released with the Notes prevent LVM from persisting passwords in plaintext but do not remove sensitive information already stored in the logs. Therefore, the solution sections includes instructions for changing passwords and discovering and removing sensitive log entries.

Note 2500044 introduces improved key management procedures through the profile variable jstartup/secure_key in order to prevent attackers from accessing private keys used for instance communication in the J2EE.

Note 2026174 deals with a high risk code injection vulnerability in a component of the Apache Struts framework used by SAP BusinessObjects Enterprise.

Finally, Note 2542426 provides recommendations for removing a privilege escalation vulnerability in the Image Imports component of SAP Assortment Planning.

SAP issued an important update for Hot News Note 2371726 originally released in November 2016. The note addresses a code injection vulnerability in Text Conversion which enables SAP standard text to be replaced by industry specific text. Function module BRAN_DIR_CREATE in Text Conversion enables an authenticated development user to inject operating system commands and execute these from the SAP system via that function. Developer rights through the S_DEVELOP authorization object are required for the successful execution of the exploit. Nonetheless, the note carries a CVSS score of 9.10/ 10 and rates high in terms of impact to data confidentiality, integrity and availability. The note includes corrections for SAP Basis versions 700 – 751 which restrict the range of supported special characters and the directory created by function module BRAN_DIR_ CREATE.

Note 2486657 patches a high-risk directory traversal vulnerability in the API Engine of AS Java which arises from insufficient path validation performed by the Servlet API for resource requests. This could lead attackers to read the content of arbitrary files on servers and expose sensitive data to corruption or deletion. The Note includes instructions for updating versions 7.10 – 7.50 of AS Java to the latest patch level including the vulnerable components ENGINEAPI, J2EE ENGINE, J2EE ENGINE CORE and JEECOR.

Note 2476937 delivers a patch for a critical denial of service vulnerability in the SAP Standalone Enqueue Server which is used to support direct TCP connections between clients and servers that bypass dispatchers and message servers. Attackers can trigger resource exhaustion in the Server using specific requests.  The Note includes kernel patches for SAP Kernel versions 7.21 – 7.53.

Note 2408073 includes updated instructions for manual activities required to prepare SAP systems to process digitally signed Notes. The note also includes sample files to test the security features once they are enabled.

Note 2408073 prepares systems to handle digitally signed SAP Notes. Digitally signed Notes will be issued by SAP in the future to protect against the risk of uploading Notes containing malware.  Digital signatures will support authentication and the identification of changes performed by attackers to SAP-delivered Notes.  SAP recommends only uploading digital signed Notes once they are available.

Note 2518518 should be implemented before Note 2408073 to install new objects  required to support Notes with digital signatures. The Notes will update the Note Assistant tool to verify digital signatures using the SAPCAR utility. SAPCAR must version 7.20, patch level 2 or higher.  The Note Assistant tool will process ZIP files containing Notes downloaded from the SAP Support Portal and log the results of digital signature checks. Notes that fail the digital signature check will be logged in the Application Log (transaction SLG1) and read by the Notes Assistant using the authorization object S_APPL_LOG. For further information, refer to 2537133 – FAQ – Digitally Signed SAP Notes and the Digital Signature User Guide referenced in Note 2408073.

Note 2520064 provides detailed instructions for removing a missing authentication check in the SAP Point-of-Sale (POS) Retail Xpress Server that was originally reported in July. The vulnerability could be exploited by attackers to modify files, capture sensitive information and perform a denial of service.

Notes 2531241 and 2520772 provide corrections for patching SAP Landscape Management (LVM) to prevent the storage of sensitive information including administrative passwords in plaintext within logs that can be read in database tables. The patches released with the Notes prevent LVM from persisting passwords in plaintext but do not remove sensitive information already stored in the logs. Therefore, the solution section includes instructions for changing passwords and discovering and removing sensitive log entries.

Finally, Note 2278931 removes a high-risk code injection vulnerability in Document Management Services. The vulnerability could be exploited by attackers to create backdoors or escalate privileges.