The Onapsis Blog

The world of business-critical application security is dynamic, with new developments happening on a continuous basis. Check out our blog for recommendations, insights and observations on the latest news for securing your SAP®, Oracle® and Salesforce applications.

SAP Security Patch Day October 2022

SAP Security Patch Day: October 2022

Highlights of October SAP Security Notes analysis include:

  • October Summary - 23 new and updated SAP security patches released, including two HotNews Notes and six High Priority Notes 
  • Two HotNews Notes with CVSS score close to 10 - CVSS 9.9 vulnerability in SAP Manufacturing Execution and CVSS 9.6 issue in SAP Commerce
  • Large To Do List for SAP BO Customers - SAP Business Objects affected by eight new and updated SAP Security Notes, including three High Priority Notes

SAP has published 23 new and updated Security Notes in its October Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes two HotNews Notes and six High Priority Notes. 

SAP Manufacturing Execution HotNews Note

SAP Security Note #3242933, tagged with a CVSS score of 9.9, patches a very critical Path Traversal vulnerability in SAP Manufacturing Execution. The vulnerability affects two plugins:

  • Work Instruction Viewer (WI500)
  • Visual Test and Repair (MODEL_VIEWER)

These are used for displaying all types of work instructions and models.

The URL to request this information included a file path parameter that could be manipulated to allow arbitrary traversal of directories on the remote server. The file content within each directory could be read in the user context of the OS user executing the NetWeaver process or service. The patch comes with a code correction that handles the path internally. It prevents the ability to be provided dynamically as a request parameter. The CVSS score of 9.9 is based on the fact that the impact on confidentiality, integrity, and availability can be high, depending on the kind of information that can be accessed during an attack.

As a temporary workaround, SAP recommends removing any sensitive information from the file systems that are accessible to the OS user, and restricting access to any unneeded file paths for this user.

Since the identification of sensitive information can be complex, the workaround can only minimize the risk. Affected customers should therefore apply the patch as soon as possible. However, restricting access to sensitive information is always recommended, independent of any existing vulnerability in the application.

SAP Commerce HotNews Note

The second HotNews Note is SAP Security Note #3239152, tagged with a CVSS score of 9.6. This note patches an Account Hijacking vulnerability in the SAP Commerce login page. The login page contains multiple URLs that are called when the login form is submitted. These URLs were not properly sanitized by SAP and they could be changed by manipulating the URL used to call the login form. Attackers were able to inject redirect information into the login page’s URLs, causing the login page to redirect sensitive information such as login credentials to an arbitrary server on the Internet. Attackers didn’t require any privileges to start an exploit but they did need a user to click the malicious link that opens the manipulated login form to execute the exploit. Bad actors can trick users to click this type of link by using  phishing techniques to distribute the manipulated URL to legitimate SAP Commerce users.

SAP provides two workaround options: The first option recommends disabling the affected OAuth extension. This sounds like an easy solution but there is a warning included since many other SAP Commerce extensions, as well as integrations with other systems, may rely on the OAuth extension.  

The second workaround option recommends to filter malicious HTTP requests via Website Redirect directives. The note lists two directives that cause SAP Commerce not to process manipulated requests and respond with an HTTP response status code 404 instead.

However, since there is no guarantee that the directives cover all possible situations, it is strongly recommended to apply the patch. The patch fixes this vulnerability by sanitizing URL paths and by outputting HTML encoded URLs into the affected OAuth login page.

SAP Business Object Vulnerabilities

SAP Business Objects (BO) is affected by eight new and updated SAP Security Notes, including three High Priority Notes. 

The eight notes patch five Information Disclosure vulnerabilities and three Cross-Site Scripting vulnerabilities.

An analysis of the required support package patch levels shows that the following patch levels fix seven of these vulnerabilities:

  • SBOP BI PLATFORM SERVERS 4.2
    • SP009, PL001000
  • SBOP BI PLATFORM SERVERS 4.3
    • SP002, PL000700
    • SP003, PL000000

SAP Security Note #3167342 affects the SAP Data Services software component and is therefore not covered by the above summary patch info.

The three High Priority Notes for SAP BO patch Information Disclosure vulnerabilities.

SAP Security Note #3229132, tagged with a CVSS score of 8.2, patches an Information Disclosure vulnerability. The vulnerability allows attackers to gain credential information of other users. Attackers must be authenticated for an exploit to occur. Depending on whether they were authenticated as administrator, or normal user, they can see the credentials in plain text or in encrypted form. The encrypted information is returned as part of a query result that was performed on the CMS DB.

The second High Priority Information Disclosure vulnerability is patched with SAP Security Note #3239293, tagged with a CVSS score of 7.7. The note doesn’t describe many details about the vulnerability that affects the BOE Admin Tools/ BOE SDK component but unlike note #3229132, SAP sees no impact on the system’s integrity and availability.

SAP Security Note #3213507 was initially released on SAP’s August Patch Day and updated at the end of September. As described in our August blog post, there were some inconsistencies in the CVSS rating. Based on our notification, SAP has now revised the CVSS rating for this vulnerability completely and the formerly Medium Priority Note with CVSS score 5.2 has now become a High Priority Note with a CVSS score of 8.2.

Other High Priority Notes

In addition to the three High Priority Notes for SAP BO, there are two for SAP 3D Visual Enterprise and another one for SAP SQL Anywhere/SAP IQ.

SAP Security Note #3245928 and #3245929, both tagged with a CVSS score of 7.0, patch very similar vulnerabilities in SAP 3D Visual Enterprise Viewer and SAP 3D Visual Enterprise Author. An improper memory management could result in a victim opening manipulated files received from untrusted sources in SAP 3D Visual Enterprise Viewer/Author. Depending on the type of file manipulation, this could lead to arbitrary code execution or a denial of service. The two notes differ a little bit in the affected file formats. The Viewer vulnerability (#3245928) affects fewer file formats than the Author vulnerability (#3245929).

The solution section of both notes lists the fixed file formats. This suggests that fixes for some formats are still pending, but when comparing this list to the list of previously affected formats, there seems to be no file format left unpatched. 

High Priority Note #3232021, tagged with a CVSS score of 8.1, patches a Buffer Overflow vulnerability in SAP SQL Anywhere and SAP IQ database servers. Unauthenticated remote attackers could generate a stack-based buffer overflow, while the server was running, with a debugging option. An exploit could lead to unauthorized reading and modifying of data as well as negatively impact the system’s availability.

Summary and Conclusion

With 23 new and updated Security Notes, including two HotNews Notes and six High Priority Notes, this Patch Day comes with more to dos for SAP customers than the previous ones. It is important to get a complete overview of all patched vulnerabilities before starting implementation of  individual patches. The example of the SAP Business Objects vulnerabilities shows that with only one patch, affected customers can patch seven issues at once.

Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Newsletter.

SAP Note

Type

Description

Priority

CVSS

2495712

New

Missing authorization check in SAP Automotive Solutions

IS-A

Medium

6,5

3239293

New

[CVE-2022-39015] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform(AdminTools/ Query Builder)

BI-BIP-ADM   

High

7,7

3229425

New

[CVE-2022-41206] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform / Analysis for OLAP

BI-RA-AWB

Medium

5,4

3229132

New

[CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects)

BI-BIP-ADM

High

8,2

3211161

New

[CVE-2022-39800] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI LaunchPad)

BI-BIP-INV

Medium

6,1

3248970

New

[CVE-2022-41209] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya)

CEC-PRO-GIY

Medium

4,9

3248384

New

[CVE-2022-41210] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya)

CEC-PRO-GIY

Medium

4,9

3245929

New

[Multiple CVEs] Multiple vulnerabilities in SAP 3D Visual Enterprise Author

CA-VE-VEA

High

7,0

3245928

New

[Multiple CVEs] Multiple vulnerabilities in SAP 3D Visual Enterprise Viewer

CA-VE-VEV

High

7,0

3242933

New

[CVE-2022-39802] File path traversal vulnerability in SAP Manufacturing Execution

MFG-ME

HotNews

9,9

3202523

New

Cross-Site Scripting (XSS) vulnerability in SAP Commerce

CEC-COM-CPS

Medium

6,1

3049899

New

[CVE-2022-35297] Stored Cross-Site Scripting (XSS) vulnerability in SAP Enable Now

KM-SEN-MGR

Medium

6,5

3167342

New

[CVE-2022-35226] Cross-Site Scripting (XSS) vulnerability in Data Services Management Console

EIM-DS-SVR

Medium

4,8

3239152

New

[CVE-2022-41204] Account hijacking through URL Redirection vulnerability in SAP Commerce login form

CEC-COM-CPS

HotNews

9,6

3234755

New

Information Disclosure vulnerability in Master Data Governance

CA-MDG-APP-CUS

Medium

4,3

3233226

New

[CVE-2022-35296] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System)

BI-BIP-LCM

Medium

6,8

3232021

New

[CVE-2022-35299] Buffer Overflow in SAP SQL Anywhere and SAP IQ

BC-SYB-SQA

High

8,1

3150454

Update

Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform

BC-MID-RFC

Medium

4,9

2726124

Update

Missing Authorization Check in multiple components under SAP Automotive Solutions

IS-A

Medium

6,3

2460948

Update

Missing Authorization Check in Vehicle Management System

IS-A-VMS

Medium

5,3

2634023

Update

Missing authorization check in Consumption of CDS Views (or) OData Services in QM-QN

QM-QN

Medium

6,3

3213524

Update

[CVE-2022-32244] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Commentary DB)

BI-BIP-CMC

Medium

6,0

3213507

Update

[CVE-2022-31596] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Monitoring DB)

BI-BIP-ADM

High

8,2

Request a Demo from Onapsis

Secure your 
business-critical SAP,
Oracle, Salesforce
and SaaS apps

Get a firsthand look at the visibility, reporting and automation capabilities provided by The Onapsis Platform by scheduling a personalized demo with our application security experts.

Request a demo