In recent years, Onapsis and SAP have been working together to help organisations manage the most significant types of cyber risk to business applications today. SAP’s primary focus in May 2022’s SAP Security Patch Day involved addressing vulnerabilities related to Spring4Shell.
The first threat intelligence report jointly written by SAP and Onapsis revealed a key cybersecurity blind spot that affects how many enterprises safeguard their mission-critical SAP applications. According to the findings of their research, not only has the danger landscape expanded over the past several years, but cyber attackers have also become more adept in their use of well-known exploits, and the window of opportunity for defenders has shrunk steadily over time.
Furthermore, according to the report titled Onapsis: Threat Intelligence Report Active Cyberattacks on Mission-Critical SAP Applications, despite the fact that SAP has promptly patched the exploited critical vulnerabilities — with patches made available to customers for months — many companies still have not implemented the necessary mitigations, which tends to leave their SAP systems unprotected to cyberattacks. While SAP releases monthly updates to address severe vulnerabilities, users are expected to maintain regular mitigations and system configurations to keep important business processes and data secured.
This month, the German enterprise software giant updated 17 SAP Security Notes, which include four HotNews and two High Priority notes. The significant Remote Code Execution (RCE) vulnerability in the Spring Framework, known as the Spring4Shell vulnerability, has been patched in all HotNews Notes released since the last patch day. The Spring4Shell Summary HotNews Note, #3170990, has been updated, and the new version involves the following impacted SAP applications: SAP Business Cloud, SAP Commerce, SAP Customer Customer Profitability Analytics, Sybase PowerDesigner Web, SAP Customer Checkout, and SAP HANA Extended Application Services.
Onapsis’ Contribution to SAP Security Patch Day
Furthermore, four of the new vulnerabilities detected were patched thanks to the efforts of Onapsis Research Labs, including one that was given a High Priority rating and received a CVSS score of 8.3. SAP and Onapsis discovered that the vulnerability had a significant impact on the confidentiality, integrity, and availability of a system after being exploited.
Other key insights in May 2022’s SAP Security Patch Day include:
- A bug that appears during the installation of an update for SAP BusinessObjects Enterprise has been fixed by SAP Security Note #2998510, which carries a CVSS score of 7.8. The upgrade makes information in the Sysmon event logs available to be utilised in subsequent attacks that have a major effect on the systems’ capacity to maintain their confidentiality, integrity, and availability.
- A vulnerability known as Cross-Site Scripting exists in SAP NetWeaver Application Server ABAP (Advanced Business Application Programming). This vulnerability is described in SAP Security Note #3146336, which has a CVSS score of 5.4. Due to this flaw, an authenticated attacker might delete theme data and upload suspicious files.
- A Memory Corruption issue in SAP Host Agent, SAP NetWeaver AS ABAP, and ABAP Platform has been patched by SAP Security Note #3145702, which has a CVSS score of 5.3. Memory corruption can be caused by leveraging logical faults in memory management, which can then have an impact on the availability of the service. This vulnerability allows an unauthenticated attacker to have this capacity.
To conclude the SAP Security Patch Day this month, Thomas Fritsch, SAP Security Researcher at Onapsis, said:
“As always, the Onapsis Research Labs is continuously updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.”