SAP Security Patch Day August 2022: A Calm Patch Day With SAP BusinessObjects in Focus

Highlights of August SAP Security Notes analysis include:

• August Summary – 11 new and updated SAP security patches released, including one HotNews Note and three High Priority Notes. 
• SAP Business Client Update – Chromium fixes that require special attention
• Three Vulnerabilities in SAP BusinessObjects – Several Information Disclosure vulnerabilities patched with CVSS scores between 5.2 and 8.2

SAP has published 11 new and updated Security Notes in its August Patch Day (including the notes that were released or updated since July’s Patch Tuesday). This includes one Hot News Note and three High Priority Notes. 

SAP’s August Patch Day was very calm. The only Hot News Note is SAP Security Note #2622660 which provides regular updates for SAP Business Client, including the latest tested Chromium patches. The update of this note, as well as two of the three High Priority Notes, was previously released at the end of July. The only new High Priority Note as of today is SAP Security Note #3210823, which patches an Information Disclosure vulnerability in SAP BusinessObjects.    

HotNews Note #2622660 in Detail

SAP Business Client customers already know that updates of this note always contain important fixes that must be addressed. The newest update of the note references 52 Chromium fixes including one Priority Critical and 29 Priority High issues. The critical vulnerability was detected by an external researcher and is tracked under CVE-2022-1853. According to SAP,  no confirmed CVSS rating was available at the time of the SAP Security Note update. However, patching is strongly recommended since Google states to be aware of publicly available exploits for some of the vulnerabilities.

In Focus: SAP BusinessObjects

SAP has patched three Information Disclosure vulnerabilities in SAP BusinessObjects (BO) which affect different components of the application.

The most critical one is patched with High Priority Note #3210823, tagged with a CVSS score of 8.2, and relates to the Open Document. Open Document is one of many deployed web applications within an SAP Business Objects BI platform installation. It processes incoming URL requests for documents and any other viewable object type in the Central Management Server (CMS), and delivers the correct document to the end user in the appropriate viewer. This allows users to send other users direct links to a document and avoids them having to navigate through a folder hierarchy, such as in BI launch pad. The patched vulnerability allowed an unauthenticated attacker to retrieve sensitive information in plain text over the network. This includes any data available for business users. The vulnerability could also be exploited to put load on the application, by an automated attack,so data is transferred permanently over the network.

The second Information Disclosure vulnerability affects the Monitoring DB of SAP BO. Monitoring is an out of the box solution in BI 4.x, to collect and display live server metrics. The Monitoring Service captures the monitoring data and passes it on to the monitoring application that stores the data in the Monitoring DB. The vulnerability is patched with SAP Security Note #3213507 and tagged with a CVSS score of 5.2. This score might be subject to change as the score value does not match with the designated CVSS vector. According to the vector, the CVSS score should be 6.9. In contrast to the previous vulnerability, an attacker would need authenticated high privilege access, to the same physical/logical network, for a successful exploit. In this case, the disclosed data could lead to low impact on confidentiality but high impact on integrity.  

SAP Security Note #3213524, tagged with a CVSS score of 5.2, patches an Information Disclosure vulnerability in the Commentary DB of the SAP BusinessObjects BI Platform. The commentary feature was introduced with BI 4.2 SP3 Web Intelligence. It allows users to comment on any block or cell within a report. By default, BI Commentary creates and maintains its tables in the Audit database. However, SAP recommends you configure a dedicated Commentary DB to store the comments. The conditions required to exploit the vulnerability, and the possible impact on the application, are exactly the same as for the vulnerability that is patched with #3213507. 

Two High Priority Notes Released at the End of July

SAP Security Note #3226411, tagged with a CVSS score of 8.1, patches a Privilege Escalation vulnerability in the SAP SuccessFactors attachment API for Mobile Application(Android & iOS). The vulnerability allows an attacker to read and write attachments in several mobile applications of SAP SuccessFactors. Due to misconfigured application endpoints, an attacker with user privileges can perform activities with admin privileges over the network leading to a full compromise of the application’s confidentiality and integrity.

SAP has therefore disabled the attachment functionality in the mobile application. In addition to the provided patch, SAP recommends removing certain permissions from non-admin users. Users should use the Web UI for the affected applications if they want to use attachments.

SAP Security Note #3213141, tagged with a CVSS score of 7.3, describes an Information Disclosure vulnerability in SAP Landscape Management. Under certain conditions, an authenticated SAP Landscape Management user can escalate their privileges to other systems and make those other systems vulnerable to information disclosure and modification. The note describes in detail the situation leading to a disclosure of credential data that can be used to connect to other systems. Due to the sensitive nature of this vulnerability, further details are not described here but can be found in the SAP note.

Summary and Conclusion

With only 11 SAP Security Notes, SAP’s August Patch Day is a very calm Patch Tuesday. This allows SAP customers to review the patch status of their systems and to apply any pending patches from previous patch days. There is no better measure against the increasing number of attack attempts against SAP environments than keeping patching current.

Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance, ensuring customers can stay ahead of ever-evolving threats and protect their businesses.

For more information about the latest SAP Patch Day, SAP security, and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Newsletter.

Additional Reading

• The Value of Table Change Logging For SAP Customizing Data

• Three Actively Exploited SAP Vulnerabilities Identified by Onapsis Research Labs: What You Need to Know

• ICMAD: Critical Vulnerabilities in SAP Business Applications Require Immediate Attention