In a crucial bid to bolster system security, SAP has released a fresh wave of updates in its July SAP Security Note. This encompasses two HotNews Notes and seven High Priority Notes, all targeting IS-OIL, Solution Manager, Web Dispatcher, and ICM – applications with noted vulnerabilities that need immediate attention.
Within the recent HotNews Note, a major vulnerability was uncovered in the SAP IS-OIL system. As highlighted in SAP Security Note #3350297, this vulnerability, carrying a high-risk CVSS score of 9.1, potentially allows an authenticated user to insert arbitrary operating system commands into an unprotected transaction or program parameter.
Thanks to a collaboration between SAP and Onapsis Research Labs, this high-risk loophole has also been addressed via a new patch that includes rigorous input validation. Given that an exploit of this loophole could significantly compromise the confidentiality, integrity, and availability of the system, the swift application of this patch is also strongly recommended.
Navigating High Priority SAP Security Notes: Where Vigilance Matters
Alongside the HotNews Notes, SAP released seven High Priority Notes this July, four of which were developed in collaboration with Onapsis Research Labs. While they might carry lower CVSS scores than the HotNews Note for IS-OIL, these updates remain incredibly important due to their broad implications for SAP’s customer base.
Among these high-priority updates are:
- SAP Security Note #3233899 (CVSS 8.6) and #3340735 (CVSS 7.7): These notes contain essential patches for vulnerabilities within SAP ICM and SAP Web Dispatcher. The former addresses a potential HTTP Request desynchronization risk, which could potentially allow malicious payloads to be executed. The latter tackles a Memory Corruption vulnerability that could lead to errors in memory management, impacting the system’s integrity and availability.
- SAP Security Note #3348145 (CVSS 7.2) and #3352058 (CVSS 7.2): These notes target the SAP Solution Manager’s Diagnostics agent. One deals with a vulnerability that lets attackers manipulate client request headers, while the other resolves an Unauthenticated Blind SSRF vulnerability that enables unauthenticated execution of HTTP requests.
- High Priority Note #3331376 (CVSS 8.7): This note remedies a Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON). It disables a report that didn’t implement proper authorization checks and parameter input validations, thereby preventing an attacker from navigating system directories and overwriting OS files.
- SAP Security Note #3331029 (CVSS 7.8): This note offers a patch for a Denial of Service vulnerability in SAP SQL Anywhere. The vulnerability could potentially allow a low privileged attacker to overwrite sensitive shared memory data or inhibit access to legitimate users.
These critical updates underline SAP’s steadfast commitment to fortifying software security across its suite of applications. Moreover, this commitment helps to ensure reliable and robust security measures for systems and applications, cultivating trust and confidence among SAP’s global customer base. As a result, SAP’s proactive approach to managing system vulnerabilities not only bolsters security but also enhances overall user confidence.
“With eighteen new and updated SAP Security Notes, including two HotNews Notes and seven High Priority Notes, SAP’s July Patch Day represents an average Patch Day. The Onapsis Research Labs has once again significantly contributed to making the SAP universe a little bit safer. The continuous research of our team resulted in one HotNews Note, four High Priority Notes and 2 Medium Priority Notes,” Thomas Fritsch, SAP Security Researcher at Onapsis, said.
Utilizing Onapsis’ Expertise with SAP Technology
Onapsis Research Labs continues to be a significant partner in SAP’s quest for enhanced system security. They have been instrumental in helping patch multiple vulnerabilities. In addition, their work has been invaluable in addressing Log Injection vulnerabilities in SAP NetWeaver AS Java (SAP Security Note #3324732, CVSS 5.3) and SAP ERP Defense Forces and Public Security (SAP Security Note #3351410, CVSS 4.9). These patches deter unauthorized adjustments to system logs and safeguard the overall integrity of the applications.
Building on its considerable partnership history with SAP, Onapsis has recently expanded its collaboration portfolio, venturing into the utilities sector with Snohomish County Public Utility District (SNOPUD). This Pacific Northwest-based municipal corporation, renowned as the second largest publicly-owned utility in the region, is also committed to ensuring reliable services to its large customer base.
With a solid reputation in cybersecurity and compliance solutions, Onapsis has positioned itself as a significant player in streamlining SAP security. Furthermore, their recent alliance with SNOPUD, under the PUD’s Connect Up program, aims to fortify the utility company’s SAP security and provide access to strategic threat intelligence through the expertise of Onapsis Research Labs (ORL).