SAP & Onapsis Webinar: Log4j Threat Intelligence and Mitigation Strategies to Protect Your SAP Applications

The Onapsis Blog

The world of business-critical application security is dynamic, with new developments happening on a continuous basis. Check out our blog for recommendations, insights and observations on the latest news for securing your SAP®, Oracle® and Salesforce applications.

SAP Security: A Look Back at 2021 Highlights

SAP Security: A Look Back at 2021 Highlights

As 2021 draws to a close, Onapsis Research Labs shares a short summary of this year’s most important highlights relating to SAP security as well as a statistical analysis of this year’s SAP Patch Days. 

April 2021: Onapsis Research Labs provides evidence for malicious cyber activities targeting critical SAP applications

It seemed as though 2021 began uneventfully but behind the scenes, The Onapsis Research Labs was hard at work on a huge project. The results of those efforts were published in April.

The team set up an environment that exposed unpatched SAP systems to the internet and tracked suspicious activity against those systems. The results were published in a joint Threat Intelligence Report released by Onapsis and SAP.

The research revealed that threat actors have the motivation, means, and expertise to identify and exploit unprotected business-critical SAP applications. And they are actively doing so. Some key findings included:

  • Threat actors are active, capable, and widespread: Evidence of 300+ automated exploitations leveraging seven SAP-specific attack vectors and 100+ hands-on-keyboard sessions from a wide range of threat actors. It is clear that cyberattackers have sophisticated knowledge of business-critical applications. They are actively targeting and exploiting unsecured SAP applications through varied techniques, tools, and procedures.
  • The window for defenders is small: Critical SAP vulnerabilities are being weaponized within 72 hours of a patch release. New unprotected SAP applications provisioned in cloud (IaaS) environments are being discovered and compromised in less than three hours.
  • Threats have both security and compliance impact: Exploitation has dire consequences; it can lead to full control of unsecured SAP applications. Common security and compliance controls can be bypassed, enabling attackers to steal sensitive information, perform financial fraud, or disrupt business-critical enterprise processes. This can also be done by deploying ransomware or stopping operations. Threats can have significant regulatory compliance impacts, including SOX, GDPR, CCPA, and others. 
  • Ransomware protection is more than backups and endpoint security: Both are critical components of a solid security program, without a doubt. However, their presence can lull organizations into a false sense of security since gaps remain, especially for business-critical systems that are connected in more ways than ever before.

September 2021: SAP Patch Day with record breaking number of critical Security Notes

SAP released the impressive number of seven new HotNews Notes and two High Priority Notes on its September Patch Day. While one of the HotNews Notes was only a minor update of an older one, the remaining eight critical notes addressed new vulnerabilities in the following components:

Component

CVSS

SAP Security Note

Java Message Service Connector

10.0

3078609 - [CVE-2021-37535] Missing Authorization check in SAP NetWeaver Application Server for Java (JMS Connector Service)

SAP Knowledge Management

9.9

3081888 - [CVE-2021-37531] Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms)

SAP Visual Composer

9.9

3084487 - [CVE-2021-38163] Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT)

Near Zero Downtime (NZDT) Mapping Table framework

9.9

3089831 - [CVE-2021-38176] SQL Injection vulnerability in SAP NZDT Mapping Table Framework

SAP Contact Center

9.6

3073891 - [CVE-2021-33672] Multiple vulnerabilities in SAP Contact Center

SAP Business Client

9.6

2622660 - Security updates for the browser control Google Chromium delivered with SAP Business Client

SAP Web Dispatcher

8.9

3080567 - [CVE-2021-38162] HTTP Request Smuggling in SAP Web Dispatcher

SAP CommonCryptoLib

7.5

3051787 - [CVE-2021-38177] Null Pointer Dereference vulnerability in SAP CommonCryptoLib

Onapsis Research Labs contributed to this remarkable number of critical patches by reporting the vulnerabilities fixed by notes #3081888, #3080567, and #3051787.

November 2021: U.S. Cybersecurity and Infrastructure Security Agency released Binding Operational Directive 22-01

On November 3, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive (BOD) 22-01 - Reducing the Significant Risk of Known Exploited Vulnerabilities. This is a compulsory directive to federal and executive branches as well as departments and agencies. It is generally considered to be the minimum best practice for enterprises to also implement CISA recommendations.

The purpose of BOD 22-01 is to aggressively remediate known exploited vulnerabilities to protect federal information systems and reduce cyber incidents. These vulnerabilities are considered to pose significant risk to agencies and the federal enterprise. Vulnerabilities that have previously been used to exploit public and private organizations are frequent attack vectors for malicious cyber actors of all types.

SAP has already released Security Notes for all of the SAP related issues in the directive and it is important to note that all of the critical SAP vulnerabilities listed in the CISA catalog were identified as being exploited in the wild in the joint Threat Intelligence Report released by Onapsis and SAP. (See here for Onapsis Research Labs blog to help SAP Security administrators better understand how to review their SAP systems.)

December 2021: Log4j shakes the internet

On December 10, the IT world was shaken by the publication of a critical vulnerability in the widely used open source library Log4j. Researchers detected an unauthenticated remote execution vulnerability that could allow an intruder to take over an affected device completely. Quite a few IT security experts see it as the most serious vulnerability of all time. From that day on, a race has started between threat actors and IT security departments all over the world. 

The SAP security team immediately started to analyze which SAP applications were affected. The current status of this analysis is summarized in this document. On December 20 at 3:21 p.m. EST the document listed 78 applications that were already patched by SAP, 21 applications with a pending patch, and 296 applications that are not affected by the vulnerability. In order to get more detailed information about each patch, it’s worth searching periodically for Log4j in the SAP Portal. For the most up-to-date information from Onapsis regarding the Log4j vulnerability, please refer to our security advisory here. See additional Onapsis Research Labs threat intelligence about Log4j here.

SAP Patch Day Statistical Trends

The overall number of 185 SAP Security Notes in 2021 is very close to the all-time low of 179 notes in 2019. Thus, the indicated upward trend from 2020 did not continue. The latter fact also applies to the number of critical notes (considering HotNews Notes and High Priority Notes as “critical”). With 23 HotNews Notes and 34 High Priority Notes, these values are slightly above the 2019 and 2020 average numbers.

SAP

In 2021, The Onapsis Research Labs team contributed to detecting and patching a significant number of these published vulnerabilities:

Priority

HotNews

High

Medium

Low

Total

Total Number in 2021

23

34

122

6

185

Onapsis Contribution

3

11

4

0

18

Conclusion

The year 2021 has shown that timely patching is absolutely key for not putting business applications and data at risk of compromise. More and more threat actors have sophisticated knowledge of business-critical applications and are actively targeting and exploiting unsecured SAP applications. Although SAP's September Patch Day came with a record-breaking number of critical notes, the number of released SAP security patches per year has not significantly changed over the past three years. The number has settled at a level that should allow every SAP customer to stay up to date with the required security patches. Nevertheless, SAP customers can expect a lot of additional work in the next few days and weeks as applying Log4j patches will keep them busy. Until now, these patches were not released in the context of SAP Patch Day.

Subscribe to our monthly Defender’s Digest newsletter for the latest in SAP security.

More 12 Days of AppsMas Blogs

More SAP Security Resources

Secure your 
business-critical SAP,
Oracle, Salesforce
and SaaS apps

Get a firsthand look at the visibility, reporting and automation capabilities provided by The Onapsis Platform by scheduling a personalized demo with our application security experts.

Request a demo