SAP NetWeaver Process Integration Affected by Two HotNews Vulnerabilities
Highlights of December SAP Security Notes analysis include:
- December Summary -Twenty new and updated SAP security patches released, including five HotNews Notes and five High Priority Notes.
- SAP NW Process Integration(PI) in Focus - HotNews vulnerabilities in Messaging System and User Defined Search require urgent patching
- Onapsis Research Labs Collaboration - Onapsis Research Labs contributed in fixing five vulnerabilities including the two HotNews vulnerabilities in SAP PI and one High Priority Note affecting all applications running on SAP NW ABAP
SAP has published twenty new and updated Security Notes on its December Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes five HotNews Notes and five High Priority Notes.
One of the five HotNews Notes is the regularly recurring SAP Security Note #2622660 that provides an update for SAP Business Client including the latest supported Chromium patches. SAP Business Client now supports Chromium version 107.0.5304.122 which fixes thirty-four vulnerabilities in total compared to the last supported version, including twenty-four High Priority vulnerabilities. The maximum CVSS value of all fixed vulnerabilities is 9.6.
High Priority Note #3249990 was initially released on SAP’s November Patch Day as a HotNews and has been downrated. One of the two referenced vulnerabilities in SQlite bundled with SAPUI5 was rejected five days after it was published.
High Priority Note #3229132 contains an update on the proposed workaround. It patches an Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform and was initially released in October.
The New HotNews Notes in Detail
The Onapsis Research Labs (ORL) contributed to patching two critical vulnerabilities in SAP NetWeaver Process Integration(PI). The ORL detected that the Messaging System and the User Defined Search in SAP PI expose services through the P4 protocol that don’t require user authentication. This allows attackers to make use of an open naming and directory API to access services which could perform unauthorized operations. SAP Security Note #3273480, tagged with a CVSS score of 9.9, patches the vulnerability in User Defined Search. SAP Security Note #3267780, tagged with a CVSS score of 9.4, provides the corresponding patch for the Messaging System. Both patches enforce user authentication and checks for appropriate authorizations. The following user management engine (UME) roles are extended by the new authorizations:
- SAP_XI_ADMINISTRATOR_J2EE - full access
- SAP_XI_CONFIGURATOR_J2EE and SAP_XI_DEVELOPER_J2EE - read and write access
- NWA_READONLY - read only access
SAP Security Note #3239475, tagged with a CVSS score of 9.9, patches a critical Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform. Since an exploit requires minimum authorizations, it prevents this vulnerability from being tagged with the maximum CVSS score of 10. Attackers with “normal BI user privileges” are able to upload and replace any file on the Business Objects server at the operating system level. This enables the attacker to take full control of the system and has a significant impact on confidentiality, integrity, and availability of the application. The CVSS score, along with the high impact, makes this the most critical vulnerability of December’s Patch Day - at least for SAP BusinessObjects Business customers.
The same impact affects SAP Commerce customers when considering SAP Security Note #3271523. This note is tagged with a CVSS score of 9.8 and patches another HotNews vulnerability. The vulnerability affects SAP Commerce and is caused by a version of the open source Java library Apache Commons Text, which is vulnerable to CVE-2022-42889. Under certain conditions, the affected version may be vulnerable to remote code execution or unintentional contact with remote servers, if untrusted configuration values are used.
High Priority SAP Security Notes
While all the new HotNews Notes only affect specific SAP applications, the vulnerability patched with SAP Security Note #3268172, tagged with a CVSS score of 8.8, impacts a much broader range of SAP customers, since it is included in the SAP BASIS software component. The Onapsis Research Labs detected that a remote-enabled function module of the component allows an authenticated attacker to access a system class and execute any of its public methods using parameters provided by the attacker. On successful exploitation the attacker can have full control of the system, causing high impact on the confidentiality, integrity, and availability of the application.
High Priority Note #3271091, tagged with a CVSS score of 8.5, patches a Privilege Escalation vulnerability in SAP Business Planning and Consolidation. According to the note, a standard role that is shipped with this application contains authorizations to start customer transactions. By implementing such transaction code, attackers may execute unauthorized transaction functionality allowing them to escalate their privileges to be able to read, change, or delete system data.
I checked the affected role on two of our Onapsis test systems and the situation seems to be more critical. While the role contains authorizations on transactions UJ* (which, based on the source code of the function module TRINT_GET_NAMESPACE, does not represent a reserved customer namespace for transactions), the corresponding profile grants permission to execute all transactions. That means that users assigned to the affected role can execute any transaction in the SAP system. Customers should definitely re-generate the profile for the role as described in the note. Since roles and profiles cannot be shipped via automatic correction instructions, the note only refers to the patching support packages.
A Cross-Site Scripting vulnerability in SAP Commerce allows attackers to steal user tokens, and achieve full account takeover, including access to administrative tools in SAP Commerce. This vulnerability is addressed by SAP Security Note #3248255 and tagged with a CVSS score of 8. The good news is that the corresponding patch releases also include the fix for the HotNews vulnerability described in SAP Security Note #3271523.
Onapsis Research Labs Contribution
In addition to supporting SAP in patching the critical vulnerabilities in SAP PI and in the SAP BASIS component, our team also contributed in patching two vulnerabilities in SAP SolutionManager.
The first vulnerability affects the Enterprise Search application of SAP SolutionManager and allows unauthenticated attackers to redirect a logged-on user to a malicious web page that could either read or modify confidential information or expose the user to a phishing attack. The vulnerability is patched with SAP Security Note #3271313 and tagged with a CVSS score of 6.1.
The ORL team also uncovered an improper access control in the SAP SolutionManager Diagnostics Agent that could lead to unauthorized file and system access. SAP Security Note #3265173, tagged with a CVSS score of 6.0, provides the corresponding patch.
Summary and Conclusions
With twenty new and updated SAP Security Notes, including five HotNews Notes and five High Priority Notes, the last SAP Patch Day of the year is a busy one. It was an extraordinary year for everyone responsible for SAP security. I am thrilled about the contribution the Onapsis Research Labs was able to make in patching a lot of serious vulnerabilities. I also appreciate their ability to collaborate with the SAP security team in order to increase awareness for SAP customers about their system security and provide them the best possible protection.
Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, check out our previous Patch Day blogs and subscribe to our monthly Defender’s Digest Newsletter.