SAP Security Notes June ‘18: What to Do with Critical Re-released Notes?

It’s the second Tuesday of June, which means SAP has published a new set of security notes. It seems that the downward trend in the number of monthly notes is continuing. This month, a total of 14 security notes has been released, with only seven notes published today. Six notes in total (almost 50%) are tagged as High Priority or Hot News. As we go through our traditional monthly analysis of the notes, we will dig deeper into a specific case that happens twice this month: what to do when a SAP Security Note is re-released.

This month we see a high percentage of severe notes. Two Hot News notes were published during the month, although both are re-releases. One of the Hot News notes concerns a security flaw in Report for Terminology Export, originally reported by Onapsis back in November 2016. Today, four additional High Priority notes were added. We see these high severity notes appear in all kinds of different SAP components, some of which perhaps require additional explanation. We intend to give an overview of these notes in one of the next sections. All remaining notes this month are of Medium Priority; we do not see any Low Priority notes appearing this time. 

Hot News Re-re-released: Should I Worry Now?
As mentioned before, both Hot News notes released this month are actually re-releases. They were both published last month, shortly after the previous Patch Day. One of the questions that some customers have raised is what to do when a SAP Security Note that has been already applied is re-released: do I need to install it again? To bring more clarity, both notes reported this month will help us to provide an answer. We have written about both notes before in previous blog posts, but for completeness’ sake we will discuss below what has happened in the meantime and answer this specific question for both notes.

  • OS Command Injection Vulnerability in Report for Terminology Export (#2357141): This security note, originally reported by the Onapsis Research Labs, was first published in November 2016, after which we wrote about it. When it was re-released one year later, in December 2017, we explained that the bug was indeed fixed, but introduced a malfunction in the GUI. Manual steps were required to fix that. The only change this month is that these steps have now been updated (as far as we checked, only minor changes have been applied).

Do I need to install this SAP Security Note again? No you don’t. You can read in the note the following statement: “If this note has been already implemented, then there is no action required.” As was confirmed by our team, if the original note was installed, manual steps only have usability impact and no security implications.

  • Security Updates for Third-party Web Browser Controls Delivered with SAP Business Client (#2622660): This re-released note was first discussed in April of this year. This current month an additional Support Package Patch for SAP Business Client 6.5 was released, containing the most recent stable release of the Chromium browser control. Basically this note contains third-party updates that are implemented in the SAP environment through specific SAP Security Notes. These notes are quite relevant since often those third-party tools exploits could be more massive or exposed than specific exploits to SAP, that tend to be more targeted and selected.

Do I need to install this SAP Security Note again? Yes you do. SAP is also pretty clear in the content of the note: “This note will be modified periodically based on web browser updates by respective vendors.” Any time SAP updates this Security Note, you need to do it too.

As you can imagine, both notes analysis make it pretty clear: there is no rule for re-released notes. Some of them need to be installed again, and some not, and the only way to know that is to read and analyze the notes. Is there a way to make it easier? Our team analyzes all SAP Security Notes every month to have a deeper understanding of a complex patch framework that includes different files, manual steps, and specific processes described in attachments, among others. So, keep reading our blog for quicker analysis or contact Onapsis Research Labs if you are a customer.

High Priority Notes Released This Month
The remaining notes of importance this month are of a High Priority and concern a number of different SAP components; some less well-known than others. We will describe the notes below and attempt to explain the significance of these components. 

  • Code Injection Vulnerability in SAP Internet Sales (#2626762): Internet Sales is SAP’s eCommerce solution. The note describes a known vulnerability existing in Apache Struts, which SAP uses in SAP Internet Sales. Struts is an open source Model-View-Controller (MVC) framework that can be used to create Java EE web applications. We have discussed the risks of using third-party open source software before and yet again we see an example of its implications in this note.

For a few years a vulnerability has existed in the MultiPageValidator (MPV) functionality of Apache Struts (CVE-2015-0899). When collecting large amounts of data from the user through forms, this component is used to validate that form fields contain (correctly formatted) information. It has been found that the input validation can be skipped by changing the value of a web request parameter which is used in MPV. An attacker could thereby control the behavior of the application.

It is advised to install the appropriate Support Package Patches mentioned in the note. These patches contain Java Correction(s) for E-Commerce / Web Channel with additional input validation to prevent this vulnerability.

  • Denial of service (DOS) in Internet Sales (#2629535): Yet again we see a bug introduced by using third-party software, this time in the Apache Commons FileUpload component. Apache Commons is an “Apache project focused on all aspects of reusable Java components.” The Commons FileUpload package, “makes it easy to add robust, high-performance, file upload capability to your servlets and web applications.”

This particular vulnerability was found in in Commons FileUpload. It allows remote attackers to cause a Denial of Service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop’s intended exit conditions. This means an attacker can prevent legitimate users from accessing a service, either by crashing or flooding a service.

Similar to the previously discussed Internet Sales note, the fix consists of installing the Support Package Patches posted in the note.

  • [CVE-2018-2425] Information Disclosure in SAP Business One for SAP HANA Backup Service (#2588475): Business One is SAP’s more lightweight ERP system designed for small to medium-sized businesses. The vulnerability discussed in the note exists in the Business One version for SAP HANA, more specifically in its backup service. The note does not contain many details, but mentions the vulnerability allows an attacker to access information which would otherwise be restricted. It does seem the sensitive information exists in the backup service logs. The fix implies updating your Business One component software.
  • [CVE-2018-2408] Improper Session Management in SAP Business Objects -CMC/BI Launchpad/Fiorified BI Launchpad (#2537150): This is a re-release of a note we discussed in our April blog post. It concerns a vulnerability in SAP BusinessObjects which caused existing user sessions to remain active after their passwords were changed. It seems the re-release only concerns the addition, or correction, of the hyperlink to CVE-2018-2408.

As always, we are working on updating the Onapsis Security Platform to incorporate these newly published vulnerabilities. This will allow our customers to check whether their systems are up to date with the latest SAP Security Notes and will ensure that those systems are configured with the appropriate level of security to meet their audit and compliance requirements. Please check our website for additional information on all topics discussed in this blog post.