SAP Patch Day: February 2023
High Priority Notes for SAP Host Agent, SAP BusinessObjects, and SAP Business Planning and Consolidation
Highlights of February SAP Security Notes analysis include:
- February Summary—Twenty-six new and updated SAP security patches released, including one HotNews Note and five High Priority Notes
- Highest CVSS score for SAP Host Agent—Critical vulnerability allows executing arbitrary OS commands
- Onapsis Research Labs Contribution—Our team supported SAP in patching thirteen vulnerabilities, covered by twelve SAP Security Notes
SAP has released twenty-six SAP Security Notes on its February Patch Day, including one HotNews Note and five High Priority Notes.
The only HotNews Note in February is the periodically recurring SAP Security Note #2622660 which patches the latest Chromium vulnerabilities for SAP Business Client. It patches fifty-four Chromium vulnerabilities, including twenty-two High Priority patches. The maximum CVSS score of all fixed vulnerabilities is 8.8.
Two of the five High Priority Notes are updated versions of previously released SAP Security Notes and were initially released on SAP’s December Patch Day.
SAP Security Note #3268172, tagged with a CVSS score of 8.8, now explicitly mentions that customers running SAP on another database other than HANA are also affected by this note.
High Priority Note #3271091, tagged with a CVSS score of 8.5, patches a Privilege Escalation vulnerability in SAP Business Planning and Consolidation. This note was only updated with some minor text changes, it doesn’t require any new customer activity if it is already implemented.
The New High Priority Notes in Detail
The most critical patch of SAP’s February Patch Day with regard to CVSS score is SAP Security Note #3285757, tagged with a CVSS score of 8.8. Our team from the Onapsis Research Labs (ORL) detected a serious vulnerability in SAP Host Agent. An authenticated non-admin user with local access to a server port assigned to the SAP Host Agent Service can submit a specially crafted web service request with an arbitrary operating system command. This command is executed with administrator privileges and can impact a system’s confidentiality, integrity, and availability. The note provides a patch for SAP Host Agent. Customers not familiar with upgrading SAP Host Agent can refer to SAP Note #1031096 for details.
The two remaining new High Priority Notes both affect SAP BusinessObjects (BO) customers.
SAP Security Note #3263135, tagged with a CVSS score of 8.5, patches an Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform. The note does not provide any more details except that an attacker requires authentication for an attack. A successful exploit can lead to a high impact on confidentiality and a limited impact on the integrity of the application.
The more critical note, in terms of its possible impact on the application, is SAP Security Note #3256787, tagged with a CVSS score of 8.4. The patched vulnerability allows an authenticated admin user to upload malicious code that can be executed by the application over the network. Although the impact on the application’s confidentiality, integrity, and availability is High, the CVSS score is lower than SAP Security Note #3263135 since an attacker requires a user with admin privileges for a successful exploit.
Contribution of the Onapsis Research Labs
In addition to the critical vulnerability in SAP Host Agent that was patched with SAP Security Note #3285757, the Onapsis Research Labs (ORL) supported SAP in patching nine Cross-Site Scripting vulnerabilities and three URL Redirection vulnerabilities. They affect the following applications:
- SAP NetWeaver AS for ABAP and ABAP Platform
- SAP NetWeaver AS ABAP Business Server Pages(Framework & Application)
- SAP Solution Manager
- SAP Solution Manager (BSP Application)
The patched software components are:
- SAP_BASIS
- SAP_ABA
- ST
The CVSS score of the corresponding vulnerabilities range between 6.1 and 6.5. The following list provides a brief list of versions and Support Package(SP) Levels of the components require patching. However, thorough investigation of customer versions and Support packages should be performed to ensure accuracy:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Summary & Conclusions
SAP’s February Patch Day comes with more than double the number compared to last Patch Day. However, with the periodically recurring SAP Security Note #2622660 for SAP Business Client as the only HotNews Note, one High Priority Note for SAP Host Agent, and two High Priority Note for SAP BusinessObjects, it can be considered a less critical SAP Patch Day. Nevertheless, with its large amount of Medium Priority Notes of which the ORL team contributed to the majority, SAP Admins will be busy again this month.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.