SAP Security Patch Day May 2022: Spring4Shell Vulnerability Has Been Patched in Six SAP Applications

SAP Security Notes Blog

Highlights of May SAP Security Notes analysis include:

  • May Summary—17 new and updated SAP security patches released, including four HotNews notes and two High Priority notes
  • Spring4Shell Impact on SAP—Six SAP applications have now been patched in total 
  • Onapsis Contribution—Onapsis Research Labs supported SAP in patching four vulnerabilities, including one High Priority Note

SAP has released 17 new and updated SAP Security Notes in its May 2022 patch release, including the notes that were released since last patch day. As part of this month’s patch release, there are four HotNews notes and two High Priority notes.

The Update Regarding Spring4Shell

All HotNews Notes released since last patch day provide patches for the critical Remote Code Execution vulnerability in the Spring Framework which was detected inMarch 2022 and which is known as Spring4Shell vulnerability. The Spring4Shell Summary HotNews Note, #3170990 was updated and currently includes the following affected SAP applications:

SAP Application

SAP Note

Release Date

SAP HANA Extended Application Services

3189428

12/04/2022

SAP Customer Checkout

3187290

12/04/2022

Sybase PowerDesigner Web

3189429

12/04/2022

SAP Customer Profitability Analytics

3189635

14/04/2022

SAP Commerce

3171258

18/04/2022

SAP Business One Cloud

3189409

10/05/2022

In contrast to the Summary Note for the Log4J vulnerability, the Spring4Shell Summary Note does not list any SAP applications that are currently analyzed or for which a patch is in progress.

Onapsis Contribution To The Current Patch Day

The Onapsis Research Labs contributed this time in patching four vulnerabilities, one of them rated with High Priority:

SAP Security Note #3145046, rated with a CVSS score of 8.3, patches a Cross-Site Scripting vulnerability in the administration UI of ICM in SAP Application Server ABAP/Java, and in the administration UI for SAP Web Dispatcher (stand-alone and (A)SCS instance embedded). SAP and the Onapsis Research Labs (ORL) found a high impact on a system’s confidentiality, integrity, and availability when exploiting the vulnerability. The only thing that prevents this vulnerability from being tagged with a higher CVSS is the fact that an attacker must entice a victim to log on to the administration UI using a browser and that the attack is highly complex.

The SAP note provides patches for all affected components as well as  three options for a temporary workaround, which are as follows:

  • Option 1: Delete the affected files
  • Option 2: Disable the administration UI
  • Option 3: Remove the authorizations to for logging on to the administration UI for all possible victim users

While Option 1 requires no additional activities once the patch is applied, the workarounds of Options 2 and 3 need to be reversed after patching.

SAP Security Note #3146336, tagged with a CVSS score of 5.4, describes a Cross-Site Scripting vulnerability in SAP NetWeaver Application Server ABAP. The ORL detected that this vulnerability allows an authenticated attacker to upload malicious files and delete theme data. The provided patch disables the ability to upload individual files via the SAP UI Theme Designer.

SAP Security Note #3145702, tagged with a CVSS score of 5.3, patches a Memory Corruption vulnerability in SAP Host Agent, SAP NetWeaver AS ABAP, and ABAP Platform. The vulnerability allows an unauthenticated attacker to leverage logical errors in memory management to cause memory corruption which impacts service availability. The notes provide patches for the affected kernel versions as well as for SAP Host Agent.

The latter also includes a patch for another SAP Host Agent vulnerability that was detected by the ORL. SAP Security Note #3158188, tagged with a CVSS score of 5.3, describes an Information Disclosure vulnerability in the SAP Host Agent log file. The log file exposes sensitive information that could be used for critical follow-up attacks. Since the provided patch level for SAP Host Agent attached to SAP Security Note #3145702, is higher than the one attached to SAP Security Note #3158188, the latter one is automatically patched when patching note #3145702.

Other Critical SAP Security Notes in May

In addition to SAP Security Note #3145046, another High Priority Note was released on SAP’s May Patch Day, SAP Security Note #2998510, tagged with a CVSS score of 7.8. This note patches a problem that exists during an upgrade of  SAP BusinessObjects Enterprise. The upgrade exposes information in the Sysmon event logs that could be used in follow-up attacks with high impact on systems’ confidentiality,integrity, and availability.

Summary & Conclusions

This month, SAP focused on patching its applications with regard to the Spring4Shell vulnerability. The Onapsis Research Labs contributed to patching four vulnerabilities, one of them rated with High Priority.

As always, the Onapsis Research Labs is continuously updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.