SAP Security Patch Day December 2021: A Patch Day in the Shadow of Log4j

SAP Security Notes Blog

Highlights of December SAP Security Notes analysis include:

  • December Summary – 21 new and updated SAP security patches released, including four HotNews Notes and six High Priority Notes 
  • Information on Log4j – More than 30 SAP applications are affected by CVE-2021-44228
  • Most critical patches for SAP Commerce – Three patches released with a CVSS range between 7.5 and 9.9

About the Impact of the Log4j Vulnerability on SAP Applications

SAP’s December Patch Tuesday is marred by the detection of the critical Log4j vulnerability that was published on December 10, 2021. The SAP Security team is intensively checking the possible impact on SAP applications and has summarized the current status of its analysis in this document. As of today (December 14, 2021), SAP has identified 32 applications that are affected by CVE-2021-44228. 20 of them are already patched, 12 are currently pending. The document also provides workarounds for some of the pending applications. A search of ‘log4j’ on SAP’s Support Portal currently results in 50 related SAP Notes and Knowledge Base entries that were released since December 12, 2021. 

SAP has published 21 new and updated Security Notes on its December Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes four HotNews Notes and six High Priority Notes. 

The number of four HotNews Notes seems to be high, but when looked at in more detail, one realizes that HotNews Note #3089831, tagged with a CVSS score of 9.9, was initially released in September 2021 and was updated in December with some information about the possible symptoms. SAP explicitly says that the update does not require any customer action.  

SAP Security Note #2622660 is the continuously recurring HotNews Note that provides an SAP Business Client Patch with the latest tested Chromium fixes. SAP Business Client customers already know that updates of this note always contain important fixes that must be addressed. The note references 62 Chromium fixes with a maximum CVSS score of 9.6 — 26 of them rated with High Priority. The last number only reflects vulnerabilities that were reported externally, as Google doesn’t provide such information about internally detected issues.

The High Priority Note #3077635, tagged with a CVSS score of 7.8 contains an updated “Solution” section for a Denial-of-Service vulnerability in SAP SuccessFactors Mobile Application that was initially released in October 2021.

 

The New HotNews Notes in Detail

SAP Security Note #3119365, tagged with a CVSS score of 9.9, patches a Code Injection vulnerability in a text extraction report of the Translation Tools of SAP ABAP Server & ABAP Platform. The vulnerability allows a low privileged attacker to execute arbitrary commands in the background. It is not tagged with the maximum CVSS score of 10 because exploiting the vulnerability requires at least a few privileges. The provided patch just deactivates the affected coding. The report is only used by SAP internally, was not intended for release, and does not impact existing functionality. Readers who have access to the note and who are interested in which report is affected can get that information in the “Correction Instructions” section by activating the tab “TADIR Entries.”

The second new HotNews Note is SAP Security Note #3109577. It is tagged with a CVSS score of 9.9 and patches multiple Code Execution vulnerabilities in SAP Commerce, localization for China. The localization for China package uses the open source library XStream for serializing objects to XML and back. The note provides a patch for version 2001 of the localization package. SAP Commerce customers using a lower version need to upgrade the package before applying the patch. When comparing the CVEs listed in the note with the listed patches on https://x-stream.github.io/security.html, there are two things worth mentioning:

  • The provided SAP patch contains version 1.4.15 of the XStream library
  • Version 1.4.15 specifically patches Code Execution vulnerabilities, but following the Xstream patch history, it also fixes two Denial-of-Service vulnerabilities and a Server-Site Forgery Request vulnerability

As a workaround, affected customers can also directly replace the affected XStream library file with its latest version.

Details About the High Priority Notes

SAP Commerce is also affected by two High Priority Notes on SAP’s December Patch Day.

SAP Security Note #3114134, tagged with a CVSS score of 8.8, addresses SAP Commerce installations configured to use an Oracle database. The escaping of values passed to a parameterized “in” clause, in flexible search queries with more than 1000 values, is processed incorrectly. This allows an attacker to execute crafted database queries through the injection of malicious SQL commands, thus exposing the backend database.

SAP Commerce customers using the B2C Accelerator are also affected by SAP Security Note #3113593, tagged with a CVSS score of 7.5. An attacker with direct write access to product-related metadata in B2C Accelerator can exploit a vulnerability in the jsoup library responsible for metadata sanitization before it is processed. This allows the attacker to cause long response delays and service interruptions resulting in a Denial-of-Service situation.

SAP Security Note #3102769, tagged with a CVSS score of 8.8, patches a Cross-Site Scripting vulnerability in SAP Knowledge Warehouse (SAP KW) that can result in a disclosure of sensitive data. The vulnerability affects the displaying component of SAP KW and SAP explicitly points out that the pure existence of that component in the customer’s landscape is all that is needed to be vulnerable. A security breach might also occur even if a customer does not actively use the displaying component of SAP KW. In addition to the attached patch, the note also describes two possible workarounds:

  • Disabling the affected display component by adding a filter with a specific custom rule
  • Adding a rewrite rule to SAP Web Dispatcher to prevent redirects (this is only applicable if requests are routed via SAP Web Dispatcher)

SAP Security Note #3123196, tagged with a CVSS score of 8.4, describes a Code Injection vulnerability in two methods of a utility class in SAP NetWeaver AS ABAP. A highly privileged user with permissions to use transaction SE24 or SE80 and execute development objects is able to call these methods and provide malicious parameter values that can lead to the execution of arbitrary commands on the operating system. SAP has fixed the issue by integrating the affected methods directly into the class without the possibility of passing parameters to the methods. The affected classes and methods are available in the “Correction Instructions” section by activating the tab “TADIR Entries.”

SAP Security Note #3124094, tagged with a CVSS score of 7.7, patches a Directory Traversal vulnerability in the SAF-T framework. This framework is used to convert SAP tax data into the Standard Audit File Tax format (abbreviated as SAF-T) and back. The SAF-T is an OECD international standard for the electronic exchange of data that enables tax authorities of all countries to accept data for tax purposes. An insufficient validation of path information in the framework allows an attacker to read the complete file system structure.

Summary and Conclusions

With 21 new and updated notes, including four HotNews Notes (with two of them being new) and six new and updated High Priority Notes, the last SAP Patch Tuesday in 2021 is slightly above this year’s average. The Log4j vulnerability as well as the vulnerabilities described in SAP Security Notes #3109577 and #3113593 demonstrate that there is always a risk involved when using open source libraries. The ability to implement new features in a short period of time is bought at the price of dependence on the security of the external libraries. Remember, a software product is only as secure as its weakest software component. 

The Onapsis Research Labs is continuously updating The Onapsis Platform to incorporate the newly published vulnerabilities into The Onapsis Platform so that our customers can protect their organizations.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Newsletter.