SAP Security Patch Day May 2021: Calm Patch Day with SAP Business One in Focus

SAP Security Notes Blog

Highlights of May SAP Security Notes analysis include:

  • May Summary—14 new and updated SAP security patches released, including three HotNews notes and three High Priority notes
  • In Focus: SAP Business One (B1)—Issues with installations based on Chef Cookbooks
  • Calm Patch Day—Only nine new security notes since April Patch Day

SAP® has released 14 new and updated SAP Security Notes on its May 2021 patch release, including the notes that were released since last Patch Day. As part of this month’s patch release, there are three HotNews notes and three High Priority notes.

But once again, looking in more detail, it becomes obvious that not all of the six critical notes are really new:

SAP Security Note #3040210, tagged with a CVSS score of 9.9, was updated only 6 days after its initial release on April Patch Day. The note provides a patch for the rules engine in SAP Commerce on-premise and SAP Commerce Cloud. Unfortunately, it is impossible to identify the reason for the update but one can assume that it’s nothing worth mentioning as SAP normally will introduce updated notes with some kind of information about the update reason when more important.

The validity of the correction instructions in SAP Security Note #2999854, also tagged with a CVSS score of 9.9, was extended. The note that fixes critical Code Injection vulnerabilities in SAP Business Warehouse and SAP BW/4HANA now provides additional correction instructions for SAP BW 7.40 SP3 and SP4. 

There is a new SAP Business Client patch released with SAP Security Note #2622660. SAP Business Client now includes Chromium version 90.0.4430.93. Compared to the last supported Chromium version (89.0.4389.90), this new version fixes 63 security issues in total, including 22 High Priority patches that are based on externally reported issues. The highest CVSS score of all newly fixed vulnerabilities is 9.6.

In Focus: SAP Business One

Two High Priority notes, of three in total, patches issues in SAP Business One (B1). Both are caused by installations that were carried out via Chef Cookbooks.

Chef is a configuration management technology developed by Opscode to manage infrastructure on physical or virtual machines. It is an open source tool, which helps in managing complex infrastructure on the fly.

Chef Cookbooks contain values and information about the desired state of a managed node. Using the Cookbook, the Chef server and Chef client ensure the defined state is achieved.

SAP provides two Chef Cookbooks for automated SAP Business One test system installations on GitHub—one for SAP B1 on MS SQL Server and one for SAP B1 on SAP HANA. The vulnerability in the first Cookbook is described in SAP Security Note #3049755, tagged with a CVSS score of 7.8, and can lead to an Information Disclosure on payroll data. The issues in the cookbook for SAP B1 on SAP HANA are patched with SAP Security Note #3049661, also tagged with a maximum CVSS score of 7.8, and can additionally lead to the injection of malicious code allowing an attacker to control the behavior of the entire application. Both notes refer to an updated version of the Cookbooks on GitHub and recommend to delete and recreate the affected test systems.

Other Critical SAP Security Notes in May

There was only one additional High Priority note released on May Patch Day. SAP Security Note #3046610, tagged with a CVSS score of 8.2, affects SAP NetWeaver AS ABAP up to version 7.31. These versions include a SAP Basis program that allows the injection of malicious code and thus enables an attacker who has access to the local SAP system to read and overwrite data, as well as initiate a Denial-of-Service attack. Only the need for local access, together with the fact that an attacker requires high privileges to execute the program, prevents this vulnerability from being tagged with a CVSS score of 10!

Summary & Conclusions

SAP’s May Patch Day was a rather calm one. Two of the three HotNews notes only contain minor updates and the third one covers the recurring update on SAP Business Client. Nevertheless, there are three lessons learned from this Patch Day. The two reported SAP Business One vulnerabilities clearly show: 

  • Never use tools and methods for system installation and operation that are not explicitly released by SAP for production
  • Anonymize your test data whenever possible
  • Isolate your test environment technically from your production environment
SAP May 2021

As always, the Onapsis Research Labs is continuously updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.