SAP Security Patch Day July 2022: Three Applications in Focus

Highlights of July SAP Security Notes analysis include:

• July Summary—27 new and updated SAP security patches released, including six High Priority notes
• Three Focus Areas — SAP Business One (B1), SAP Business Objects (BO), and SAP Enterprise Portal (EP)
• Onapsis Contribution—Onapsis Research Labs supported SAP with patching a Missing Authorization Check vulnerability in SAP Enterprise Extension Defense Forces and Public Security

SAP has released 27 new and updated SAP Security Notes in its July 2022 patch release, including the notes that were released since the last patch day. As part of this month’s patch release, there are six High Priority notes.

Three primary areas are affected by today’s SAP Security Notes, so Onapsis Research Labs recommends reviewing all details below before implementing the corresponding patches.

Three High Priority Notes Released for SAP Business One

The majority of today’s High Priority Notes were leased for SAP Business One (B1). 

SAP Security Note #3212997, tagged with a CVSS score of 7.6, patches a critical Information disclosure vulnerability in integration scenarios of SAP B1 and SAP HANA. The vulnerability allows a highly privileged attacker to gain access to sensitive information such as high privileged account credentials, which could be used to help launch subsequent attacks. 

SAP Security Note #3157613, tagged with a CVSS score of 7.5, solves an issue in the license service API of SAP B1. A Missing Authentication Check allows an unauthenticated attacker to send malicious http requests over the network in order to break the application and make it inaccessible. For SAP customers who cannot apply the corresponding patch immediately, the note refers to knowledge base article #3189816 for a temporary workaround describing how to prevent end users from accessing the license API. 

The third High Priority note is SAP Security Note #3191012, tagged with a CVSS score of 7.4. This note patches a code injection vulnerability in the SAP B1 client. The vulnerability enables a low privileged attacker to control the behavior of the application. There is no suitable workaround available and thus, implementing the corresponding patch is strongly recommended.

There was a fourth SAP Security Note released for SAP B1 on SAP’s July Patch Day with Medium Priority. Note #3211203 describes a denial of service vulnerability that exists due to improper input sanitization of XML input.

Note: All four vulnerabilities are patched with SAP Business One 10.0 FP 2202. A good starting point for summary information and upgrade path information are these two SAP Overview notes:

• Note #3149778 – Overview Note for SAP Business One 10.0 FP 2202
• Note #3149802 – Overview Note for SAP Business One 10.0 FP 2202, version for SAP HANA

Six SAP Security Notes Released for SAP Business Objects, Including One High Priority Note

When only taking CVSS score into account, SAP Security Note #3221288, tagged with a CVSS score of 8.3, is considered the most critical vulnerability of SAP’s July Patch Day. A vulnerability in the Central Management Console (CMC) of SAP Business Objects Business Intelligence Platform, allows an unauthenticated attacker to gain token information over the network, which would otherwise be restricted. Fortunately, an attack like this also would require a legitimate user to access the application. On successful exploitation, the attacker can completely compromise the application. There is no downloadable patch attached to the note but the Solution section states that “This is fixed in… 4.2 SP09 Patch 9, 4.3 SP01 and above releases.”

The below section summarizes all six SAP Security Notes for Business Objects and provides information for efficient patching: 

SAP Security Note	CVSS	Vulnerability	SBOP BI PLATFORM SERVERS Support Package Patches
#3221288	8.3	Information Disclosure	4.2     SP009     PL000000 4.3     SP001     PL000000
#3169239	6.5	Information Disclosure	4.2     SP009     PL000800 4.3     SP001     PL001300           SP002     PL000400           SP003     PL000000
#3194361	6.0	Information Disclosure	4.2    SP009     PL000900    4.3    SP001     PL001300             SP002     PL000400          SP003     PL000000
#3167430	5.6	Privilege Escalation	4.2   SP009    PL000800 4.3   SP001    PL001300         SP002    PL000300         SP003    PL000000
#3213279	5.4	Cross-Site Scripting	4.2     SP009    PL000900
#3203079	5.4	SQL Injection	4.2     SP009    PL000900 4.3     SP001    PL001300           SP002    PL000400           SP003    PL000000

 

The Support Package Patches listed below fix all six vulnerabilities:

4.2     SP009     PL000900
4.3     SP001     PL001300
          SP002     PL000400
          SP003     PL000000

Six Cross-Site Scripting Vulnerabilities Patched in SAP Enterprise Portal

There were six SAP Security Notes released for SAP Enterprise Portal. They all patch Cross-Site Scripting vulnerabilities and they are all tagged with a CVSS score of 6.1:

 

SAP Security Note	Affected Software Components
#3211760	EP-WPC
#3208880	EP-BASIS
#3207902	EP-ADMIN
#3208819	EP-RUNTIME
#3209557	EP-RUNTIME
#3210779	EP-RUNTIME

 

The three SAP Security Notes affecting EP-RUNTIME are all patched with the same support package patches. There is a small difference in the Support Package Stack section for SAP Security Note #3210779 – there is no patch information provided for EP RUNTIME 7.50 SP018.

Other High Priority Notes in July

SAP Security Note #2726124, tagged with a CVSS score of 6.3, was already released at the end of June. The note patches a Missing Authorization Check vulnerability in multiple components of SAP Automotive Solutions. The impact on the application’s confidentiality, integrity, and availability is considered low but the exploit is relatively easy to perform since an attack can be started remotely and doesn’t require advanced privileges.

SAP Security Note #3147498, tagged with a CVSS score of 7.4, contains minor textual updates for a patch that was initially released on SAP’s June Patch Day. The patch fixes a vulnerability in SAP NetWeaver AS Java that allows unauthorized access to some major services.

Onapsis Research Labs Contribution

Onapsis Research Labs (ORL) supported SAP in patching a Missing Authorization Check vulnerability in the highly sensitive SAP Enterprise Extension Defense Forces & Public Security application. ORL detected that one of the remote-enabled function modules of this application can be compromised due to a missing explicit authorization check. This can result in an escalation of privileges, which impacts the application’s confidentiality. SAP Security Note #3196280, tagged with a CVSS score of 4.3, addresses this issue and provides a patch that includes a sufficient authorization check. 

Summary and Conclusions

SAP’s July Patch Day shows that it is beneficial to review all SAP Security Notes first before starting to implement patches. Identifying clusters of Security Notes that affect the same application and software component help to significantly reduce the amount of work and time required for patching.

As always, Onapsis Research Labs is continuously updating The Onapsis Platform to incorporate the newly published vulnerabilities into our products so customers can protect their organizations.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.