Fourteen SAP security updates, including four HotNews Notes and three High Priority Notes, were published on SAP Security Patch Day in November 2022. The SAP BusinessObjects patch is the most important since it addresses a CVSS 9.9 vulnerability that can result in complete system compromise.
The SAP Product Security Response Team disseminates details on the monthly release of Patch Day Security Notes, which address previously identified vulnerabilities in SAP software and products and provide information on how to mitigate or workaround the issues. The German tech giant urges all customers to take action and visit the Support Portal in order to secure their SAP environment by applying fixes as soon as possible. By doing so, clients can help ensure that their systems are up-to-date and protected against any potential threats.
In addition, the SAP Product Security Response Team has extended its gratitude to all researchers and security IT professionals who assist in the discovery and resolution of security vulnerabilities. By adhering to the group’s disclosure guidelines, these individuals play a key role in ensuring the safety and security of SAP products. Furthermore, the SAP Product Security Response Team added that the company’s customers and partners may rest assured that their systems are always protected thanks to the ongoing contributions of the researchers.
Onapsis Research Labs Content and Technical Researcher Thomas Fritsch is one of the security researchers whose exemplary work has been recognized by the SAP Product Security Response Team. In his blog post, Fritsch provided further information on the November 2022 SAP Security Patch Day’s 14 new and updated Security Notes (including the notes that have been published or updated since last October’s Patch Day). The security patches for this month contain four “Hot News” notes and three “High Priority” notes.
Fritsch claims that Onapsis Research Labs made a significant contribution to the SAP Security Patch Tuesday by helping the German enterprise software giant address three separate vulnerabilities.
Two vulnerabilities in SAP NetWeaver Application Server ABAP and ABAP Platform have been fixed in High Priority Note #3256571, which has a CVSS score of 8.7. All EPSF remote-enabled function modules are susceptible to both vulnerabilities. Two function modules could be called remotely with carefully constructed parameters to read or erase files caused by weak input validation. The update now incorporates input validation for the appropriate parameter values by verifying relative path information.
“The example of SAP Security Note #3256571 shows that even source code objects more than 25 years old can still suffer from security issues. It is not sufficient to check only newly created or changed objects for vulnerable code, the complete custom development must be evaluated,” Fritsch said.
Highlights of November SAP Security Patch Day
The CVSS 6.1-rated SAP Security Note #3238042 is another outcome of Onapsis’ ongoing security research. The note fixes an issue with URL Redirection in SAP Biller Direct — a solution used to generate invoices from anywhere with an internet connection, giving SAP clients the opportunity to check their invoicing and account details.
An unauthenticated attacker can create a URL that appears to come from a trusted source, as discovered by the Onapsis Research Labs. Unsuspecting users who click it will be sent to a malicious website of the attacker’s choosing due to the inclusion of a parameter that has not been sanitized. The victim’s data may be leaked or altered as a result. The Security Note includes an update that checks the validity of the vulnerable parameter before carrying out the redirect.
Regularly, SAP releases a patch for SAP Business Client through SAP Security Note #2622660 that includes Chromium version 106.0.5249.91. Users of the SAP Business Client should be aware that every revision of this note includes necessary bug patches.
Meanwhile, The second updated HotNews Note since the Patch Day in October is SAP Security Note #3239152, which has a CVSS score of 9.6. First issued last month, this update addresses an Account Hijacking flaw in SAP Commerce. Two changes were made to this newer version of the note. According to Fritsch, the updated note does not require any more action on the user’s part.
The SAP SuccessFactors attachment API for Mobile Applications — Android and iOS — has a critical vulnerability that can lead to a privilege escalation, as detailed in High Priority Note #3226411. This is the second advisory about this issue. The initial revision of the note, published in September, focused on attachments and re-enabled their use in the Time Off, Time Sheet, and EC Workflow modules. On the other hand, the most recent update safeguards the Benefit Claims section of the platform.
Other HotNews Notes Include:
- An insecure deserialization of unverified data is the root cause of the vulnerability addressed by SAP Security Note #3243924, which has a CVSS score of 9.9. This vulnerability affects the SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad). The only reason this vulnerability doesn’t get a CVSS score of 10 is because an exploit would necessitate a certain level of access for the attacker.
- SAP Security Note #3249990 addresses two flaws in the SQLite library that is part of the SAPUI5 framework and carries a CVSS score of 9.8. With SQLite 3.34.0 and later, the more severe vulnerability (CVSS score 9.8) has been patched.
- The second SAP vulnerability has a CVSS 7.5 rating since it “only” affects the accessibility of SAPUI5 apps. CVE-2022-35737 is the number assigned to this remote exploitable flaw. The attacker doesn’t need to have any special permissions to use it.
“With 14 new and updated SAP security patches, including four HotNews Notes (with two of them being new) and three High Priority Notes, this is a calm Patch Day for SAP customers.” Fritsch concluded in his article.