Three issues in SAP BusinessObjects have been discovered, and several information disclosure vulnerabilities with CVSS ratings ranging from 5.2 to 8.2 have been addressed as part of the August SAP Security Patch Day this year.
SAP, a global leader in enterprise software, partners with third-party researchers and information technology (IT) security professionals to assist safeguard their clients and partners from any potential security risks by regularly uncovering and resolving vulnerabilities. For example, Onapsis Research Labs collaborates closely with the German tech giant to gain a better understanding of its systems and develop new features that can assist in strengthening the security of any SAP system.
For the August SAP Security Patch Day, SAP has released 11 new and updated Security Notes (this total includes the notes that have been released or updated since the Patch Tuesday in July). This also contains one note regarded as Hot News as well as three notes referred to as High Priority.
This month, there is only one Hot News Note, which is SAP Security Note #2622660. This note offers constant updates for SAP Business Client, including the most recent patches for Chromium that have been tested. The most recent revision of this note, along with two of the three High Priority Notes, was previously made available at the end of July.
As of today, SAP Security Note #3210823 is the only newly released High Priority Note. This note addresses a vulnerability in SAP BusinessObjects that could expose sensitive information to unauthorized parties.
SAP Security Note #2622660: Classified as Hot News
Customers of the SAP Business Client user interface (UI) are well aware that any changes to this note will always contain essential bug fixes that need to be dealt with. The most recent revision of the note mentions 52 changes that were made to Chromium, with one problem having a “Priority Critical” status and 29 regarded as “Priority High”. An independent researcher found the critical vulnerability, which is now being recorded under the identifier CVE-2022-1853.
At the time that the SAP Security Note was updated, SAP claims that there was not yet a confirmed CVSS rating available. Patching, on the other hand, is strongly advised in light of Google’s admission that the company is aware of publicly available exploits for several of the vulnerabilities.
Addressing Information Disclosure vulnerabilities in SAP BusinessObjects
SAP has released fixes for three Information Disclosure vulnerabilities that were discovered in SAP BusinessObjects (SAP BO). These issues, which affect various parts of the application, have already been addressed. The most serious vulnerability is addressed in the High Priority SAP Security Note #3210823, which has a CVSS score of 8.2 and is connected to the Open Document.
Within a SAP Business Objects BI platform installation, Open Document is just one of many web applications that are made available to users. It evaluates incoming URL requests for documents and any other form of viewable object that is stored in the Central Management Server (CMS), and then it delivers the correct document to the end user in the viewer that is most appropriate for that document.
In addition, users are able to send other users direct links to a document, which eliminates the need for those users to navigate through a folder hierarchy, as is the case with the BI launch pad. Because of the vulnerability, it was possible for an unauthenticated attacker to access sensitive information in plain text over the network before it was patched.
Meanwhile, the Monitoring DB of SAP BO is vulnerable to the second Information Disclosure flaw that has been discovered. Monitoring is a technology that comes pre-installed with Business Intelligence version 4.x that can gather and display real-time server metrics.
A fix for the said issue can be found in SAP Security Note #3213507, and it has been assigned a CVSS score of 5.2. Due to the fact that the score value does not correspond with the designated CVSS vector, this score may be subject to modification. The vector indicates that the CVSS score needs to be 6.9.
Last but not least, SAP Security Note #3213524 fixes a vulnerability in the Commentary DB of the SAP BusinessObjects BI Platform that could also allow information disclosure. This vulnerability was assigned a CVSS score of 5.2. With the release of BI 4.2 Service Pack 3 for Web Intelligence, the commentary function was made available. Users are given the ability to remark on any block or cell that is contained inside a report.
The tables that BI Commentary needs to function properly are created and managed within the Audit database by default. On the other hand, SAP suggests that you configure a separate Commentary DB in order to store the comments. Both the circumstances that must be met in order to exploit the vulnerability and the potential effects that it could have on the application are identical to those that were present for the vulnerability that was fixed with the 3213507 patch.
Onapsis Researcher Manager of Content and Technical Research Thomas Fritsch noted that SAP’s August Patch Day is a relatively calm Patch Tuesday because there are only 11 SAP Security Notes that need to be addressed. He concluded:
“This allows SAP customers to review the patch status of their systems and to apply any pending patches from previous patch days. There is no better measure against the increasing number of attack attempts against SAP environments than keeping patching current.”
