April was another bumper month for SAP Security Notes. In all, SAP issued 33 patches, of which 5 were considered critical. Top of the list were Notes 1647225 and 1675432 which address missing authorization checks in components of Business Objects Data Services (EIM-DS) and the SAP Classification System (CA-CL).
EIM-DS is SAP’s flagship solution for data integration and quality. It’s used to consolidate, cleanse and migrate data from both SAP and external systems. CA-CL is used to manage classification properties and classes for various types of objects. An example could be an object such as a Ford F-350. This would fall into a Vehicle class and have properties such as length, weight, color, power, capacity, etc. assigned within the system. Both EIM-DS and CA-CL suffer from vulnerabilities that could enable users to escalate their privileges and perform administrative functions.
SAP also issued three other critical Security Notes. Two of these deal with programming errors in the SAP User Management Engine (BC-JAS-SEC) and other components of the NetWeaver Web AS Java. This manages Web-based access to SAP applications such as the Enterprise Portal. Note 1651004 is designed to protect the UME from cross-frame scripting (XFS) attacks that could be used to the steal the logon credentials of SAP users. You can learn more about XFS here. Note 1641208 deals with signature wrapping attacks that target XML messages transmitted through certain SAP Web services. This attack can be used to intercept and manipulate a message without breaking the digital signature designed to protect the integrity of the message and its content. It could enable attackers to modify the data within XML messages without detection.
The last vital patch released by SAP in April was Note 1652803 which fixes a Denial of Service (DoS) vulnerability in certain versions of Apache Tomcat bundled with Business Objects Enterprise. Tomcat is an open source web server that provides a runtime environment for Java code. Business Objects Enterprise is the platform that supports SAP reporting tools such as Crystal Reports, Web Intelligence and the Dashboard Builder.
SAP uses the Common Vulnerability Scoring System (CVSS) system to rate Security Notes. Three of the five critical vulnerabilities patched in April have a base score of 7.5. The highest possible score is 10.0. SAP did not provide CVSS information for the other two. This is fairly common. SAP doesn’t consistently provide CVSS scores for all Notes.
The Advisory below includes a complete listing of all of the Security Notes issued by SAP last month. Particular attention should be paid to 1657200, which is designed to patch a flaw in an SAP component responsible for managing payment cards, and the injection vulnerability patched by 1638596.