SAP Security Patch Day September 2021: SAP NetWeaver AS JAVA Affected by Several HotNews Vulnerabilities

SAP Security Notes Blog

Highlights of September SAP Security Notes analysis include:

  • September Summary 21 new and updated SAP security patches released, including seven HotNews Notes and two High Priority Notes. 81% of the patched vulnerabilities were reported by external contributors. 
  • Most critical patches for SAP NW AS JAVA – JMS Connector Service, SAP NW Knowledge Management, and Visual Composer affected 
  • Onapsis Research Labs Collaboration – Onapsis Research Labs contributed in fixing five vulnerabilities covered by three SAP Security Notes

SAP has published 21 new and updated Security Notes on its September Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes seven HotNews Notes and two High Priority Notes. 

SAP’s September Patch Tuesday requires special attention again. It comes with the remarkable number of five new HotNews Notes, one with a CVSS score of 10 and three with a CVSS score of 9.9. There were also two High Priority Notes published—one for SAP customers using SAP Web Dispatcher and one for customers using encryption based on SAP CommonCryptolib.

Two HotNews Notes were updated on August 24th. SAP Security Note #3071984, tagged with a CVSS score of 9.9, contains an updated description of a possible workaround. The note fixes an Unrestricted File Upload vulnerability in SAP Business One and was initially released on SAP’s August Patch Day.

The second updated HotNews Note is the continuously recurring SAP Security Note #2622660, providing a SAP Business Client Patch with the latest tested Chromium fixes. SAP Business Client customers already know that updates of this note always contain important fixes that must be addressed. The note references 57 Chromium fixes with a maximum CVSS score of 9.6—24 of them rated with High Priority. The last number only reflects vulnerabilities that were reported externally, as Google doesn’t provide such information about internally detected issues.

The HotNews Notes in Detail

SAP Security Note #3078609, tagged with the highest possible CVSS score of 10.0, patches a Missing Authorization Check vulnerability in the Java Message Service (JMS) Connector Service of an SAP NetWeaver AS JAVA system. The JMS Connector Service is an enterprise messaging system that provides a way for business applications to exchange data without needing to be directly connected to each other. The communication is obtained using messages. It allows different message models like Point-to-Point Messaging or Publish-Subscribe scenarios. Facing the integral role of the JMS Connector Service and the CVSS top score of the vulnerability, there should be no doubt that providing the corresponding patch is absolutely recommended. Otherwise, restricted data is at risk of being read, updated, or deleted.

Onapsis Research Labs detected another critical vulnerability affecting SAP NetWeaver Knowledge Management (SAP KM). Our team identified an XSLT vulnerability that allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file. The vulnerability is fixed with SAP Security Note #3081888, tagged with a CVSS score of 9.9, and only the fact that it requires a minimum authorization to exploit the vulnerability prevents it from being another 10.0 on SAP’s September Patch Day.

The latter Security Note also applies to two further HotNews Notes that are also tagged with a CVSS score of 9.9:

The first one affects SAP Visual Composer, a tool that allows business process designers to model applications and prototypes without writing a single line of code. An exploit of the vulnerability is very similar to the previously described one: due to an Unrestricted File Upload vulnerability, a non-administrative user can upload a malicious file over a network and trigger its processing which can run operating system commands with the privilege of the Java Server process. According to the corresponding SAP Security Note #3084487, attackers could read and modify any information on the server or shut down the server, making it unavailable.

The second one patches SQL Injection vulnerabilities in no less than 25(!) RFC-enabled function modules of the Near Zero Downtime (NZDT) Mapping Table framework used during system upgrades and migrations. An improper input sanitization allows an authenticated user with certain specific privileges to remotely call these function modules and execute manipulated queries to gain access to the backend database. SAP Security Note #3089831 provides a patch for this vulnerability which leads to a complete or partial deactivation of the affected function modules. As a workaround, customers with activated Unified Connectivity (UCON) runtime checks can also deactivate the affected function modules manually. Important: Independent of which method is used to patch the vulnerabilities, they both result in making the product SAP Test Data Migration Server unusable. The separate note #3094474 describes how to re-enable this application. It introduces an allow list of tables that are allowed to be read or updated by the affected function modules so that accessing arbitrary tables is no longer possible.

The set of new released HotNews Notes is completed by SAP Security Note #3073891, tagged with a CVSS score of 9.6. It patches OS Command Injection and Reflected Cross-Site Scripting vulnerabilities in the chat application of SAP Contact Center. Due to missing encoding in SAP Contact Center’s Communication Desktop component, an attacker could inject a malicious script into a chat message. When the message is accepted by the chat recipients, the script gets executed in their scope. Due to the involvement of ActiveX controls in the application, the attacker can further execute operating system level commands in the chat recipients’ scope. According to SAP, this could lead to complete compromise of their confidentiality and integrity, and could also temporarily impact their availability.

Two High Priority Notes Released inCollaboration with The Onapsis Research Labs

Once again, the Onapsis Research Labs was able to contribute to this SAP Patch Tuesday. In addition to supporting SAP in patching the Code Injection vulnerability described in HotNews Note #3081888 (refer to previous section), we helped SAP in patching two High Priority vulnerabilities.

SAP Security Note #3080567, tagged with a CVSS score of 8.9, patches an HTTP request smuggling vulnerability in SAP Web Dispatcher.

HTTP request smuggling is a technique for interfering with the way a website processes sequences of HTTP requests that are received from one or more users.

SAP users send requests to a SAP Web Dispatcher (SAP WDP) and SAP WPD forwards these requests to one or more ABAP, JAVA, or HANA back-end servers. In this situation, it is crucial that the SAP WDP and the back-end systems agree about the boundaries between requests. Otherwise, an attacker might be able to send an ambiguous request that gets interpreted differently by the SAP WDP and the back-end systems. The HTTP specification provides two different methods for specifying the length of HTTP messages. It is possible for a single message to use both methods at once. Under certain circumstances, the SAP WDP and the back-end systems do not use the same method to interpret the length of an HTTP message. Thus, an attacker could send messages that use both methods and provide different information that conflicts with each other. As a result, the back-end system is not able to clearly identify and separate each individual message. This could be leveraged by an attacker to gain control of requests issued by other users, and even obtain sensitive information by retrieving the victim’s requests and responses.

The Onapsis Research Labs also helped SAP in patching a Null Pointer Dereference vulnerability in SAP CommonCryptoLib. An unauthenticated attacker could send specially-crafted malicious HTTP requests over the network, leading to a memory corruption that ends up in a Null Pointer Dereference. This causes the SAP application to crash and has a high impact on the availability of the SAP system. The patch comes with SAP Security Note #3051787 and is tagged with a CVSS score of 7.5. There is no workaround available.

Summary and Conclusions

With 21 new and updated Security Notes, including seven HotNews Notes and two High Priority Notes, this is another busy Patch Day for SAP customers (and me :-) ).

One remarkable aspect is that 81% of the patched vulnerabilities were reported by external contributors like Onapsis. This demonstrates impressively the importance of external researchers for the SAP ecosystem. As a major provider for software solutions protecting business-critical applications, Onapsis continues to invest in its research and proactively analyze and investigate developments in mission-critical applications to deliver security insights and threat intel. 

September 2021

Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Newsletter.