The Onapsis Blog

The world of business-critical application security is dynamic, with new developments happening on a continuous basis. Check out our blog for recommendations, insights and observations on the latest news for securing your SAP®, Oracle® and Salesforce applications.

SAP Patch Day: January 2023

SAP Patch Day: January 2023

HotNews for SAP NetWeaver AS ABAP May Require Fixes in Custom Code

Highlights of January SAP Security Notes analysis include:

  • January Summary—12 new and updated SAP security patches released, including seven HotNews Notes
  • All SAP customers affected by SAP HotNews Notes—Critical vulnerabilities patched for SAP AS ABAP and Java
  • Onapsis Research Labs Contribution—Our team supported SAP in patching a CVSS 9.4 vulnerability in SAP AS Java

The new SAP Security year has started with 12 new and updated SAP Security Notes, including four new and three updated HotNews Notes.

The three updated HotNews Notes are comprised of SAP Security Notes #3267780 and #3273480 which were initially released by SAP in December 2022. They patch two Improper Access Control vulnerabilities in SAP NetWeaver AS Java that were detected by the Onapsis Research Labs. The updated notes provide patches for additional support package levels of SAP NW AS Java 7.50.

SAP Security Note #3243924, tagged with a CVSS score of 9.9, was the most critical patch of SAP’s November 2022 Patch Day and affected SAP BusinessObjects customers. The update contains an extension of the proposed workaround, and notes that two web pages are no longer accessible when applying the workaround.

The HotNews Notes in Detail

SAP Security Note #3089413 has the lowest CVSS score of all new HotNews Notes (CVSS 9.0) but it is possibly the most critical one of SAP’s January Patch Day, since it affects the majority of all SAP customers, and its mitigation is a challenge. A Capture-Replay vulnerability in the architecture of trusted-trusting RFC and HTTP communication scenarios allows malicious users to obtain illegitimate access to an SAP system. Complete patching of the vulnerability includes applying a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations. Both of the systems of a communication scenario need to be patched to mitigate the vulnerability. 

The development team must be involved to adjust the code if dynamic destinations are used in custom code or if this code includes the generation of permanent or transient RFC destinations via SAP API, using trusted/trusting relationships. 

The fact that SAP explicitly recommends a backup of the affected systems before patching indicates that customers must be aware of unforeseen problems during the patch and migration process. The note refers to a How-To-Guide in SAP Note #3281854 for the manual migration steps and to an FAQ list in SAP Note #3157268. Here, customers can find answers to important questions like:

  • How can I reduce the attack surface?
  • Are old trusted/trusting connections still working, after a system has the required kernel patch and ABAP SP level/ABAP patch installed?
  • Do trusted/trusting relationships work during migration?
  • What happens if only one side of a trusted/trusting relationship has applied the relevant correction instructions?
  • How do I adjust affected custom code?

For SAP customers with questions not covered in the FAQ, we strongly recommend referring to the SAP Security Notes webcasts of the American SAP User Group(ASUG) and the Deutschsprachige SAP Anwender Gruppe (DSAG). Please refer to SAP’s Patch Day blog

The set of the four new HotNews Notes is headed by two CVSS 9.9 vulnerabilities. SAP Security Note #3262810 patches a critical Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP). The vulnerability can be exploited by an authenticated attacker over the network and can cause a high impact on the confidentiality, integrity, and availability of the application. The note contains a patch and a workaround for those customers who can’t provide this patch immediately. However, this workaround can only be used as a temporary solution as it removes, stops or disables the affected service.

SAP Security Note #3275391 patches the second CVSS 9.9 vulnerability. An exploit of this vulnerability allows an unauthenticated attacker to execute crafted database queries in SAP Business Planning and Consolidation Microsoft (SAP BPC MS). The crafted queries can include commands to read, modify, or delete arbitrary data from the backend database.

SAP Security Note #3268093, tagged with a CVSS score of 9.4, is a result of the continuous security research of the Onapsis Research Labs( ORL). After identifying the Messaging System and the User Defined Search in SAP NW AS Java as being vulnerable to improper access control (refer to the updated HotNews Notes #3267780 and #3273480), our ORL team recognized a similar problem in the rfcengine P4 service. The vulnerability allows an unauthenticated attacker to attach to an open interface of the service. They can then make use of an open naming and directory API to access services. This can be used to perform unauthorized operations affecting users and data on the current system. This could allow the attacker to have full read access for user data, to make modifications to user data, and to make particular services within the system unavailable.

Summary & Conclusions

At first glance, the year seems to start with a calm SAP Patch Day. With only nine new Security Notes, including four HotNews Notes, patching efforts seems to be manageable. However, HotNews Note #3089413 may affect a lot of SAP customers and the complexity of the mitigation suggests a lot of work, for SAP administrators and potentially for SAP development departments.
 

SAP Note

Type

Description

Priority

CVSS

3262810






 

New

[CVE-2023-0022] Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP)

BI-RA-AWB

HotNews

9,9

3150704





 

New

[CVE-2023-0023] Information Disclosure in SAP Bank Account Management (Manage Banks)

FIN-FSCM-CLM-BAM   

Medium

4,5

3283283





 

New

[CVE-2023-0013] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

BC-ABA-LA

Medium

6,1

3268093

 

 

New

[CVE-2023-0017] Improper access control in SAP NetWeaver AS for Java

BC-MID-CON-JCO

HotNews

9,4

3266006

 

 

 

New

[CVE-2023-0018] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console)

BI-RA-CR

Medium

5,4

3089413

 

 

 

New

[CVE-2023-0014] Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

BC-MID-RFC

HotNews

9,0

3275391

 

 

 

New

[CVE-2023-0016] SQL Injection vulnerability in SAP Business Planning and Consolidation MS

EPM-BPC-MS

HotNews

9,9

3251447

 

 

 

New

[CVE-2023-0015] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (Web Intelligence)

BI-RA-WBI-FE

Medium

4,6

3276120

 

 

New

[CVE-2023-0012] Local Privilege Escalation in SAP Host Agent (Windows)

BC-CCM-HAG

Medium

6,4

3243924

 

 

 

Update

[CVE-2022-41203] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad)

BI-RA-WBI-FE

HotNews

9,9

3267780

 

 

 

Update

[CVE-2022-41271] Improper access control in SAP NetWeaver AS Java (Messaging System)

BC-XI-CON-MSG

HotNews

9,4

3273480

 

 

 

Update

[CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search)

BC-XI-CON-UDS

 

HotNews

9,9
 

As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.

 

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.

Request a Demo from Onapsis

Secure your 
business-critical SAP,
Oracle and SaaS apps

Get a first-hand look at the only platform built for protecting SAP and Oracle applications.

Request a demo