SAP’s latest security notes on SAP Security Patch Day July 2021 included a High Priority Note for SAP NetWeaver AS Java. It has been found that the component does not execute a proper validation of HTTP requests when monitoring data is stored.
The SAP Product Security Response Team issues SAP Security Notes every second Tuesday of the month to address vulnerabilities detected in SAP products, ensuring that customers are protected against potential cybersecurity attacks. On the 13th of July 2021, 16 new and updated SAP security patches — including two Hot News Notes and two High Priority Notes — have been published.
SAP Security Note #3056652, rated as a High Priority Note and with an assigned CVSS score of 7.5, has been released as a result of the ongoing collaboration between SAP and the Onapsis Research Labs. The team from Onapsis has found that SAP NetWeaver AS Java does not execute proper HTTP request validation when storing monitoring data.
According to the SAP software application security solutions provider’s report, this flaw could allow an attacker to manipulate HTTP requests and cause system resource exhaustion, posing a direct threat to the system’s availability. In addition, Onapsis Researcher Thomas Fritsch said that an exploit of this vulnerability is “quite simple” because the attack complexity is low and does not require user interaction or privileges to perform an attack.
Another High Priority Note is SAP Security Note #3059446, tagged with a CVSS score of 7.6. It fixes a Missing Authorisation vulnerability in SAP NetWeaver Guided Procedures (SAP GP) which is a component of the Composite Application Framework (CAF) that enables workflow modeling and management.
SAP GP allows end-users to easily identify and complete their tasks by providing role-based access to tools, resources, and support through workflows at runtime. Moreover, it provides access to a wide range of backend systems and allows for the consistent integration of multiple services and applications into processes.
The Administration Workset component of SAP GP contained the Missing Authorisation vulnerability. The element serves as SAP GP’s central administration tool, allowing for a variety of tasks such as controlling communication with SAP systems.
The Onapsis report further stated that unauthorised reading, modification, or deletion of data could result from a Missing Authorisation check. However, it noted that disabling the corresponding application in SAP NetWeaver Administrator if it is not required should be able to fix the issue.
SAP-Onapsis Collaboration Addresses Flaw in SAP NetWeaver AS Java
Aside from helping in the detection of the vulnerability in SAP NetWeaver AS Java, Onapsis Research Labs also assisted the German software giant in addressing an Information Disclosure vulnerability in SAP Enterprise Portal. Assigned with a CVSS score of 4.5, the patch is provided with SAP Security Note #3059764.
To put the issue into context, one of the portal’s HTTP endpoints exposes sensitive information that an attacker with administrator privileges could use in conjunction with other attacks. Onapsis encourages customers to use the patch as soon as possible, despite the low CVSS score, since there is a wide range of possible risks related to these attacks.
Meanwhile, SAP Security Note #2622660 has the highest CVSS score of 8.8 and is patched with the latest SAP Business Client update that includes Google Chromium version 91.0.4472.101. According to Onapsis, SAP Business customers should apply the new SAP Business Client update immediately following Google’s confirmation that the patched High Priority vulnerability relating to CVE-2021-30551has already been exploited.
SAP Security Note #3007182, on the other hand, is tagged with a CVSS score of 9.0. Although it has a CVSS score higher than the previously mentioned Security Note #2622660, it includes just a minor update on an issue that was initially fixed on June’s SAP Security Patch Day. SAP has updated the support packages section to include a new SP Stack Kernel version.
Moreover, Fritsch emphasised that SAP’s July Patch Day can be regarded as “a fairly uneventful patch day” since there are only two updated Hot News Notes and two new High Priority Notes. He explained:
“One lesson learned from SAP Security Note #3059764: is that a note’s CVSS score does not necessarily take into account the worst case scenario. The assigned numerical level of severity does not consider the impact of subsequent attacks that could occur or attacks that might gain a broader attack surface through an exploit of the given vulnerability.”
Onapsis and SAP have been working closely together to discover and address major issues in SAP software, ensuring that customers are protected ahead of time. In April, the two companies collaborated on a cyber threat intelligence report that provided actionable insights into defending customers’ mission-critical SAP applications from active cyber threats.
