SAP Patch Day: November 2022

SAP Security Notes Blog

Critical HotNews for SAP BusinessObjects and SAPUI5  

  • November Summary – 14 new and updated SAP security patches released, including four HotNews Notes and three High Priority Notes 
  • Most critical patch for SAP BusinessObjects – CVSS 9.9 vulnerability which can lead to full compromise of the affected systems
  • Onapsis Research Labs Collaboration – Onapsis Research Labs contributed to fixing three new vulnerabilities

SAP has published 14 new and updated Security Notes on its November Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes four HotNews Notes and three High Priority Notes. 

HotNews Note #2622660 is the continuously recurring SAP Security Note for SAP Business Client that provides a patch that contains the latest, tested, Chromium release 106.0.5249.91. SAP Business Client customers should be aware that updates of this note always contain important fixes that must be addressed. The updated note references 75 Chromium fixes, including two Priority Critical and 39 Priority High issues that have been resolved since the last supported Chromium release 104.0.5112.81. The maximum CVSS score of all newly patched vulnerabilities is 9.6.

The second HotNews Note that has been updated since October’s Patch Day is SAP Security Note #3239152, tagged with a CVSS score of 9.6. It was initially released in October’s SAP Security Patch Day and patches an Account Hijacking vulnerability in SAP Commerce. The new note version contains two updates. The first update just mentions that the note has been re-released with updated Patch Release versions in the Solution section. The second update says that the first update can be ignored since patch release versions were maintained properly with the initial release. Therefore no action is required with respect to the updated note.

High Priority Note #3226411, tagged with a CVSS score of 8.1, is the second update on a Privilege Escalation vulnerability in the SAP SuccessFactors attachment API for Mobile Application(Android & iOS). At the time of its initial publication, the only possibility to patch this vulnerability was through deactivating attachments in the four affected modules: Time Off, Time Sheet, EC Workflow, and Benefit Claims. The first update of the note in September addressed attachments to reactivate the capacity to use attachments in the first three modules, the newest patch provides a secure solution for the Benefit Claims module.

The New HotNews Notes in Detail

SAP Security Note #3243924, tagged with a CVSS score of 9.9, patches a vulnerability in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad) that is caused by an insecure deserialization of untrusted data. Some of the SAP BusinessObjects BI workflows allow an authenticated attacker, with low privileges, to intercept a serialized object in the parameters and substitute it with a malicious serialized one. As the deserialization process did not contain any verification of the processed data, this could highly compromise the confidentiality, integrity, and availability of the system. The only reason why this vulnerability is not tagged with the maximum CVSS score of 10 is because it requires the attacker to have a minimum set of privileges in order to exploit it. The note refers to Knowledge Base article #3250938 which contains additional helpful information.

The second new HotNews Note, SAP Security Note #3249990, is tagged with a CVSS score of 9.8 and patches two vulnerabilities in the SQLite library that is included in the SAPUI5 framework. The more critical one (CVSS score 9.8) is tracked under CVE-2021-20223 and was fixed with SQLite version 3.34.0 and higher. This vulnerability enabled a remote attacker with minimal privileges to exploit the fact that SQLite treated NULL characters as tokens. This had the potential for considerable impact on confidentiality, integrity, and availability of all applications using SAPUI5.  

The second SAP vulnerability is tagged with a CVSS score of 7.5 as it “only” impacts the availability of applications using SAPUI5. The vulnerability is tracked under CVE-2022-35737 and can also be exploited remotely. It doesn’t require that the attacker have any privileges in order for it to be executed. The vulnerability exists in SQLite versions 1.0.12 through 3.39.x before 3.39.2 and allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.

The SAP Security Note provides new SAPUI5 patch releases built with a newer SQLite version that has patched the two vulnerabilities.

SAP Security Notes Released in Collaboration With The Onapsis Research Labs

The Onapsis Research Labs (ORL) contributed significantly to this SAP Patch Tuesday by supporting SAP in patching three vulnerabilities in total.

High Priority Note #3256571, tagged with a CVSS score of 8.7, patches two vulnerabilities in SAP NetWeaver Application Server ABAP and ABAP Platform. Both vulnerabilities affect remote-enabled function modules of the function group EPSF. Due to insufficient input validation, the two function modules could be called remotely with specially crafted parameters enabling them to read or delete files. The patch has now included an input validation for the relevant parameter values that checks for relative path information.

Another result of the continuous Onapsis’ security research is SAP Security Note #3238042, tagged with a CVSS score of 6.1. This note patches an URL Redirection vulnerability in SAP Biller Direct. SAP Biller Direct is a web-based engine for invoicing. It allows SAP customers to  review their account status and billing information. It also provides options for downloading invoices, making payments using credit cards or debit cards and using online banking. 

The Onapsis Research Labs detected that the application allows an unauthenticated attacker to craft a legitimate looking URL. When it is clicked by an unsuspecting victim, it will use an unsanitized parameter to redirect the victim to a malicious site of the attacker’s choosing. This can result in disclosure or modification of the victim’s information. The note provides a patch that now validates the affected parameter before the redirect is performed.

Other Critical Notes

SAP Security Note #3263436, tagged with a CVSS score of 7.0, is the second new High Priority Note on SAP’s November Patch Day. It patches an Arbitrary Code Execution vulnerability in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise Viewer. Improper memory management is at the root of this vulnerability. Arbitrary code execution can be triggered when a victim opens a manipulated file received from untrusted sources in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise Viewer. Only files of the AutoCAD (.dst, TeighaTranslator.exe) format are affected.

Summary and Conclusion

With 14 new and updated SAP security patches, including four HotNews Notes (with two of them being new) and three High Priority Notes, this is a calm Patch Day for SAP customers. The example of SAP Security Note #3256571 shows that even source code objects more than 25 years old can still suffer from security issues. It is not sufficient to check only newly created or changed objects for vulnerable code, the complete custom development must be evaluated.

SAP Note

Type

Description

Priority

CVSS

3251202

New

[CVE-2022-41215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform

BC-MID-ICF

Medium

4,7

3218159

New

Insufficient Session Expiration in Central Fiori Launchpad

CA-FLP-FE-COR   

Medium

6,1

3263436

New

[CVE-2022-41211] Arbitrary Code Execution vulnerability in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise Viewer

CA-VE-VEA

High

7,0

3243924

New

[CVE-2022-41203] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad)

BI-RA-WBI-FE

HotNews

9,9

3249990

New

[CVE-2021-20223] Multiple Vulnerabilities in SQlite bundled with SAPUI5

CA-UI5-VTK-VIT

HotNews

9,8

3229987

New

[CVE-2022-41259] Denial of service (DOS) in SAP SQL Anywhere

BC-SYB-SQAY

Medium

6,5

3238042

New

[CVE-2022-41207] URL Redirection vulnerability in SAP Biller Direct

FIN-FSCM-BD

Medium

6,1

3237251

New

[CVE-2022-41205] Code injection vulnerability in SAP GUI for Windows

BC-FES-GUI

Medium

5,5

3256571

New

[CVE-2022-41214] Multiple vulnerabilities in SAP NetWeaver Application Server ABAP and ABAP Platform

BC-CTS-TMS

High

8,7

3260708

New

[CVE-2022-41258] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation

EPM-BFC-TCL-ADM-SEC

Medium

6,5

2622660

Update

Security updates for the browser control Google Chromium delivered with SAP Business Client

BC-FES-BUS-DSK

HotNews

10,0

3226411

Update

[CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application (Android & iOS)
 

LOD-SF-EC

High

8,1

3202523

Update

Cross-Site Scripting (XSS) vulnerability in SAP Commerce

CEC-COM-CPS

Medium

6,1

3239152

Update

[CVE-2022-41204] Account hijacking through URL Redirection vulnerability in SAP Commerce login form

CEC-COM-CPS

HotNews

9,6

Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Newsletter.