The recent publication of the SAP Security December Patch Day includes updates and solutions for critical SAP vulnerabilities, with important contributions from Onapsis Research Labs.
Protecting SAP business applications against emerging cyberthreats and patching newly discovered exploitable vulnerabilities necessitates a constant focus on the security of SAP software that has already been installed. As a result, the German enterprise software giant publishes updates to its security measures on the second Tuesday of every month. Timely patching is essential, with configuration changes being made right after patches are installed based on the CVSS score of the vulnerabilities.
SAP Security Note #2622660, a HotNews Note that delivers an update for SAP Business Client incorporating the latest supported Chromium fixes, is one of the 20 new and updated Security Notes released on December Patch Day. Compared to the previous supported version, Chromium 107.0.5304.122 addresses 34 vulnerabilities, 24 of which are rated as “High Priority,” hence SAP Business Client now supports this version. The highest CVSS score for all vulnerabilities patched is 9.6.
With its first publication as a HotNews on SAP’s November Patch Day, the High Priority Note #3249990 has now been downgraded. A report on one of two vulnerabilities in the version of SQlite that comes preinstalled with SAPUI5 was rejected just five days after it was released. Meanwhile, an update to the suggested solution is detailed in High Priority Note #3229132. This update, which was first issued in October, resolves a security concern with SAP BusinessObjects Business Intelligence Platform involving Information Disclosure.
“With twenty new and updated SAP Security Notes, including five HotNews Notes and five High Priority Notes, the last SAP Patch Day of the year is a busy one. It was an extraordinary year for everyone responsible for SAP security,” Onapsis Research Labs Content and Technical Researcher Thomas Fritsch shared in his blog post.
Onapsis Contributes to Patching SAP Vulnerabilities
Two significant vulnerabilities in SAP NetWeaver Process Integration (SAP PI) were patched with help from the Onapsis Research Labs. SAP PI’s Messaging System and User Defined Search were both found by Onapsis to provide authentication-free services via the P4 protocol. The availability of a name and directory API leaves systems vulnerable to attacks by those who seek to gain unauthorized control over critical resources.
Fixed in SAP Security Note #3273480, the CVSS score for the abovementioned vulnerability in User Defined Search is 9.9. The patch for the Messaging System may be found in SAP Security Note #3267780, which has a CVSS score of 9.4. Both updates ensure that only authorized users are able to access protected areas.
To address a serious Server-Side Request Forgery flaw in the SAP BusinessObjects Business Intelligence Platform, SAP released Security Note #3239475, which has a CVSS rating of 9.9. This vulnerability does not qualify for the highest possible CVSS score of 10 since exploiting it would require more permissions than are currently in place. Anyone with “normal BI user privileges” can completely overwrite any file on the Business Objects server.
According to Fritsch, this poses a serious threat to the confidentiality, integrity, and availability of the application since it allows the attacker to assume complete control of the system. Based on the CVSS score and the severity of the impact, this is the most serious vulnerability that SAP BusinessObjects Business users will face on December Patch Day.
Moreover, when it comes to SAP Security Note #3271523, the same consequence occurs for SAP Commerce clients. Another HotNews vulnerability has been fixed in this report, which has a CVSS score of 9.8. Apache Commons Text, an open-source Java library, contains a bug that makes SAP Commerce susceptible to CVE-2022-42889. To put it simply, if untrusted configuration parameters are utilized, the affected version might be exploited to execute malware remotely or make unintended connections to distant services.
Onapsis helped SAP patch two vulnerabilities in SAP SolutionManager in addition to the major vulnerabilities in SAP PI and the SAP BASIS component. This issue has been addressed in SAP Security Note #3271313, which has a CVSS score of 6.1.
Finally, the Onapsis team also found a flaw in the SAP SolutionManager Diagnostics Agent’s access control, which might allow for the theft of sensitive data or the takeover of a whole system. SAP has issued a solution for this vulnerability in SAP Security Note #3265173, which has a CVSS score of 6.0.
“I am thrilled about the contribution the Onapsis Research Labs was able to make in patching a lot of serious vulnerabilities. I also appreciate their ability to collaborate with the SAP security team in order to increase awareness for SAP customers about their system security and provide them the best possible protection,” Fritsch concluded.