SAP Business One and SAP NetWeaver Development Infrastructure have been added to the small group of SAP applications that are affected by a CVSS 9.9 vulnerability in 2021.
On the 10th of August 2021, SAP Security Patch Day saw the release of 19 new and updated security patches that fix vulnerabilities on various SAP applications and products. Delivered by the SAP Product Security Response Team to ensure clients are protected against potential cybersecurity attacks, this month’s security patches included three Hot News Notes and six High Priority Notes.
In his report, Onapsis Researcher Thomas Fritsch dubbed last month’s SAP Security Patch Day as the “calm before the storm”. At the same time, he noted that August is the “most noteworthy SAP Patch Day this year” given the nine critical patches in place.
“SAP Enterprise Portal customers should pay special attention to SAP’s August Patch Day since there are four patches released for this application, in collaboration with the Onapsis Research Labs, three of them rated as High Priority,” he stressed.
Recently added to the small group of SAP applications that are affected by a CVSS 9.9 vulnerability in 2021 are SAP NetWeaver Development Infrastructure and SAP Business One.
SAP Hot News Notes Issued for Vulnerabilities in SAP Applications
With an assigned CVSS score of 9.9, SAP Security Note #3071984 fixes a vulnerability in SAP Business One — the tech giant’s business management software for small and medium-sized enterprises. It has been found that a bug allows an attacker to upload files, including malicious scripts, to the server.
Fritsch explained that this did not receive the top CVSS rating of 10 because it requires a minimum set of authorisations. According to him, simply deactivating the affected functionality should work for customers who can’t immediately apply the related hotfix. However, SAP cautions that this workaround should only be used as a temporary fix and not as a long-term solution.
Meanwhile, SAP Security Note #3072955 also tagged with a CVSS score of 9.9, has discovered that a servlet of the Component Build Service in SAP NetWeaver Development Infrastructure (SAP NWDI) was exposed to the outside world. Onapsis stated that this allows attackers to “perform proxy attacks by sending crafted queries.”
SAP has warned that the severity of the flaw varies on whether customers are running NWDI on the Intranet or the Internet. Additionally, the German enterprise software company emphasised that it “could completely compromise sensitive data residing on the server, and impact its availability” if it is running on the Internet.
The third Hot News Note SAP Security Note #3078312, on the other hand, has an assigned CVSS score of 9.1. It fixes an SQL Injection issue in the Near Zero Downtime (NZDT) feature of the DMIS Mobile Plug-In or SAP S/4HANA. This is used by SAP’s corresponding NZDT service for time-optimised system conversions and system upgrades. Fritsch further explained:
“When using the NZDT service, the maintenance is performed on a clone of the production system. All changes are recorded and transferred to the clone after the maintenance tasks are completed. During the final downtime, only a few activities are executed, including a switch of the production to the new system (clone).”
For customers who have activated the Unified Connectivity (UCON) runtime check, Onapsis noted that the solution for this issue is to not assign the used remote-enabled function module to any communication assembly (CA) in UCON.
Other Highlights of August SAP Security Patch Day
SAP Security Note #3072920, which also has a CVSS score of 8.3, patches a similar flaw in another SAP Enterprise Portal servlet.
Meanwhile, SAP Security Note #3074844, with an assigned CVSS score of 8.1 is the third High Priority Note for this month. This patch addresses a server-side request forgery (SSRF) vulnerability in one of SAP NetWeaver Enterprise Portal’s design-time components. According to Onapsis, it could allow an unauthenticated attacker to craft a malicious URL that could send any type of request — for example, POST or GET — to any internal or external server if a user clicked on it.
SAP Security Note #3076399, which has a CVSS score of 6.1, reported the fourth vulnerability that was patched in partnership with Onapsis Research Labs. It fixes a URL redirection issue in SAP Knowledge Management that could allow remote attackers to “redirect users to arbitrary websites and conduct phishing attacks via a URL stored in a component,” according to Onapsis.
Other critical vulnerabilities covered on August SAP Security Patch Day were a missing authentication flaw in SAP Business One, a task hijacking issue in the Fiori Client mobile app for Android, and an authentication issue affecting SAP systems accessed through a Web Dispatcher.