In its latest SAP Security Patch Day, the German tech giant — which provides solutions for businesses and public institutions to operate effectively and efficiently — released 27 new and updated Security Notes. Six of these notes are considered High Priority.
As a world leader in enterprise software, SAP works with external researchers and security IT professionals to help protect their customers and partners from any potential security issues by continuously discovering and solving vulnerabilities. For instance, Onapsis Research Labs works closely with the company to understand its systems and build new features that would help bolster the safety of any SAP installation.
Moreover, the SAP Product Security Response Team releases Security Notes to help customers protect their SAP landscapes. This is done by giving them a heads-up on urgent patches that are required in order to avoid vulnerabilities and allowing them time to plan a patching strategy by providing information about upcoming deadlines. The team also provides up-to-date information about critical patches, including which systems are impacted by the vulnerability, how serious the issue is being rated by the research team, and an estimate of when a patch will be available.
The patch release for the month of July has seen SAP issuing 27 new and updated SAP Security Notes including those that have been released since June’s Patch Day. There are six notes classified as High Priority which need to be addressed immediately. Furthermore, this month’s SAP Security Patch Day has been focused on addressing three key areas of the SAP Business Suite, including SAP Business One (SAP B1), SAP Business Objects (SAP BO), and SAP Enterprise Portal (SAP EP).
SAP Security Note #3212997, with a CVSS score of 7.6, is a critical vulnerability fix for SAP Business One and SAP HANA integration scenarios that expose sensitive information to unauthorized users. This could be used by the attacker to help launch subsequent attacks on other networks or systems. As this type of vulnerability would allow attackers to gain access to sensitive data, it is important that the patch is installed as soon as possible.
Meanwhile, SAP Security Note #3157613, which has been given an advisory score of 7.5 in the Common Vulnerability Scoring System (CVSS), is a vulnerability that has been identified in the SAP B1 license service API. The report identifies that a missing authentication check allows unauthenticated attackers to send malicious HTTP requests over the network and break the application, making it inaccessible to legitimate users.
A temporary solution can be found in the knowledge base article #3189816 that can prevent end users from accessing the license API. Additionally, the article is aimed at customers who cannot apply the corresponding patch immediately.
SAP Security Note #3191012, on the other hand, has been assigned a CVSS score of 7.4, making it the third note in the High Priority category. The SAP B1 client has been updated to fix a code injection vulnerability that was discovered in this note. The vulnerability that exists in the application exposes it to a low-privileged attacker who can control and manipulate the behavior of the application. There are no workarounds available for this vulnerability, so it is imperative that the corresponding patch be implemented as soon as possible.
When only taking into consideration the CVSS score of SAP Security Note #3221288 (which is 8.3), it is the most critical vulnerability that was patched in this month’s SAP Security Patch Day. A security vulnerability present in the Central Management Console (CMC) of SAP Business Objects Business Intelligence Platform, allows an attacker to gain information about a user’s credentials over the network. This vulnerability would allow an unauthenticated attacker to gain restricted token details if they were to exploit this flaw, breaking the authentication process and forcing it to reveal details that are generally not available.
More Highlights in SAP Security Patch Day July 2022
Other High Priority Notes in July include SAP Security Note #2726124, which has a CVSS score of 6.3 and was already released last month. The note patches a Missing Authorization Check vulnerability in multiple components of SAP Automotive Solutions and is marked as a critical priority fix for all affected versions. The impact of the security exploit is considered to be low, but it is fairly easy to execute since remote access is not required and no advanced privileges are required in order to execute the attack.
Lastly, SAP Security Note #3147498, with a CVSS assignment of 7.4, has been published to provide minor textual updates for a patch that was previously included in SAP’s June Patch Day. The fix resolves a vulnerability in SAP NetWeaver AS Java that would allow an unauthorized user to access services that are critical to the operations of an organization.
Onapsis Research Labs also recently assisted SAP by providing the update for the Missing Authorization Check vulnerability that was found in their highly sensitive Enterprise Extension Defense Forces & Public Security application. It has identified an issue with one of the remote-enabled function modules in this application. The issue was that an explicit authorization check was missing which can then result in an escalated privilege level, which could lead to a data breach and ultimately impact the confidentiality of the application.
Thomas Fritsch, Manager of Content and Technical Research, at Onapsis, concluded in the blog post:
“SAP’s July Patch Day shows that it is beneficial to review all SAP Security Notes first before starting to implement patches. Identifying clusters of Security Notes that affect the same application and software component help to significantly reduce the amount of work and time required for patching.”