Five vulnerabilities covered by three SAP Security Notes this month were fixed by the SAP Product Security Response Team in collaboration with Onapsis Research Labs.
The September SAP Security Patch Day released by SAP saw 21 new security notes–comprised of 7 HotNews, 2 High priority, 11 Medium priority, and 1 Low priority– and updated patches for two Security Notes released last month. This month reflects the impact of having a strong, collaborative SAP ecosystem as 81{8bf2b29f36318f0ac46ab1cc03d7035abce669a1cea16c9ed62389a818fa22fd} of the patched vulnerabilities were reported by external contributors, including one critical vulnerability affecting SAP NetWeaver Knowledge Management (SAP KM) detected by Onapsis, a major provider of software solutions protecting business-critical applications.
Onapsis shared in a blog that its Onapsis Research Labs, a team of security experts with in-depth knowledge and experience to deliver security insights and threat intel affecting business-critical applications, has contributed to patching one HotNews and two High Priority vulnerabilities in this month’s SAP Security Patch Day.
7 HotNews SAP Security Notes
Every second Tuesday of the month, the SAP Product Security Response Team releases SAP Security Notes to help customers urgently apply patches on a priority to protect their SAP landscape. External researchers and security IT professionals like Onapsis work together with SAP to continuously discover and solve security vulnerabilities to help maintain security and safety of its customers’ and partners’ SAP systems.
Here are the 7 HotNews Security Notes released 14th September 2021:
Security Note #3078609. Tagged with the highest CVSS (Common Vulnerability Scoring System) score of 10.0, this note patches a Missing Authorization Check vulnerability in the enterprise messaging system Java Message Service (JMS) Connector Service of an SAP NetWeaver AS JAVA system. Urgent action is highly recommended to avoid the risk of restricted data being read, updated, or deleted.
Security Note #2622660. Also tagged with a CVSS score of 10.0, is an update to a Security Note released on April 2018 Patch Day. This note provides Security updates for the browser control Google Chromium delivered with SAP Business Client.
Security Note #3071984. Tagged with a CVSS score of 9.9, this note provides an update to Security Note released on August 2021 Patch Day, which fixes unrestricted file upload vulnerability in SAP Business One.
Security Note #3089831. This note patches SQL Injection vulnerabilities in no less than 25(!) RFC-enabled function modules of the Near Zero Downtime (NZDT) Mapping Table framework used during system upgrades and migrations. The patch allows a complete or partial deactivation of the affected function modules to be done manually.
Security Note #3084487. This note with a CVSS score of 9.9 patches the Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT). Similar to a previous vulnerability exploit, this patch fixes the vulnerability of attackers reading and modifying any information on the server or shutting down the server.
Security Note #3081888. Detected by Onapsis Research Labs and tagged with a CVSS score of 9.9, this note patches the Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms). The team identified an XSLT vulnerability that allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file that will trigger the XSLT engine to execute the script contained within the malicious XSL file.
Security Note #3073891. Tagged with a CVSS score of 9.6, this note fixes multiple vulnerabilities in the OS Command Injection and Reflected Cross-Site Scripting in the chat application of SAP Contact Center.
Onapsis’ September Patch Tuesday Contribution
As a compliance security expert and an SAP partner, Onapsis Research Labs has also helped the SAP team fix two High Priority vulnerabilities on top of its contribution in fixing the Code Injection vulnerability.
Security Note #3080567. Tagged with a CVSS score of 8.9, this note fixes the vulnerability in HTTP request smuggling in SAP Web Dispatcher (SAP WDP). HTTP request smuggling is a technique for interfering with the way a website processes sequences of HTTP requests that are received from one or more users. This Security Note offers SAP users safety when sending requests to an SAP WDP.
Security Note #3051787. Tagged with a CVSS score of 7.5, this note patches a Null Pointer Dereference vulnerability in SAP CommonCryptoLib. While there is no workaround available, this security patch prevents an unauthenticated attacker to send specially-crafted malicious HTTP requests over the network, which leads to memory corruption that ends up in a Null Pointer Dereference and, consequently, crash of SAP application.
The latest threat intelligence and security guidance are regularly provided by the Onapsis Research Labs via the Onapsis Platform, which offers unprecedented visibility into business-critical SAP, Oracle, and Salesforce applications.