This month’s SAP Security Notes included an update to a Security Note released on April 2018 Patch Day for the browser control Google Chromium delivered with SAP Business Client, now tagged as a Very High priority with a CVSS 10 score.
A total of 12 Security Notes, comprised of 10 new and 2 updates from previous security patches, were released by SAP this week. CISA (Cybersecurity and Infrastructure Security Agency), a United States federal agency focused on driving a secure and resilient infrastructure, and Onapsis Research Labs, a team of security experts with in-depth knowledge and experience on security and threat intel affecting business-critical applications, have both contributed to the June SAP Security Patch Day by identifying several vulnerabilities affecting multiple products.
Every second Tuesday of the month, the SAP Product Security Response Team releases SAP Security Notes to help customers urgently apply patches on a priority to protect their SAP landscape. External researchers and security IT professionals like Onapsis and CISA work together with SAP to continuously discover and solve security vulnerabilities to help maintain the security and safety of its customers’ and partners’ SAP systems.
June 2022 SAP Security Notes
Very High Priority Vulnerability
Tagged with a CVSS 10 score, SAP Note #2622660 affects SAP Business Client, Version –6.5 and references 82 Chromium fixes. Identified as a continuously recurring SAP Security Note for SAP Business Client that requires critical fixes, this month, the security note is an update to the Security Note released on April 2018 Patch Day for the browser control Google Chromium.
High Priority Vulnerabilities
Two High Priority Notes identified this month affect SAP NetWeaver and ABAP Platform and SAP PowerDesigner Proxy 16.7.
SAP Note #3158375, rated with a CVSS score of 8.6, reports improper Access Control of SAP router for SAP NetWeaver and ABAP Platform. Though SAP shared a temporary solution to the vulnerability such as hardening the route permission table, removing the wildcards from entries of type ‘P’ and ’S’, the German tech company highly recommends implementing the patch given.
SAP Note # 3197005, given a CVSS score of 7.8, patches potential privilege escalation in SAP PowerDesigner Proxy 16.7.
Medium Priority Vulnerabilities
Seven SAP Security Notes were categorised as medium priority, including one update to a previous note and one new vulnerability identified by Onapsis.
Both given a CVSS score of 6.5 are SAP Note #3165801, which affects the SAP NetWeaver Application Server for ABAP and ABAP Platform and is an update to Security Note released on May 2022 Patch Day for the Missing Authorization check in the said product, and SAP Note #3206271, which reports improper input validation in SAP 3D Visual Enterprise Viewer.
SAP Note #3197927, tagged with a CVSS score of 6.1, patches the Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Design Time Repository).
SAP Note #3194674 with a CVSS score of 5.0 was a collaborative effort of SAP and Onapsis. It provides the patch for a Server Side Request Forgery vulnerability in the Kernel of SAP Application Server ABAP/Java, and in the SAP Host Agent. The two companies found a low impact on a system’s confidentiality when exploiting the vulnerability.
SAP Notes #3203065 and #3158815 were given a CVSS score of 5.0, with the former pertaining to the Segregation of Duty vulnerability in the ILFI-AP File from SHAAM program route note and the latter to the Privilege escalation vulnerability in SAP Financial Consolidation.
The last note categorised as medium priority is SAP Note #3158619, which reports Privilege Escalation in SAP start service of SAP NetWeaver AS ABAP, AS Java, ABAP Platform, and HANA Database.
Low Priority Vulnerabilities
SAP Notes #3202846 and #3155571 respectively report multiple vulnerabilities associated with Apache log4j 1.x component in SAP Netweaver Developer Studio (NWDS) and Privilege escalation vulnerability in SAP Adaptive Server Enterprise (ASE).
CISA Alerts
Onapsis has also shared the exploitation activity it detected related to previously patched vulnerabilities. To ensure SAP landscapes are protected, CISA added the three identified vulnerabilities to its Catalog of Known Exploited Vulnerabilities. Here are the vulnerabilities already patched by SAP:
- SAP Note #2101079: Potential modif./disclosure of persisted data in BC-ESI-UDDI
- SAP Note #2256846: Potential information disclosure relating to usernames
- SAP Note #3084487: [CVE-2021-38163] Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT)
