- SAP Managed Tags:
This week SAP released the August 2019 Security Notes. There were four HotNews and two critical notes published. Below is the YTD Security Note distribution graph, along with a graph highlighting HotNews and critical vulnerabilities. For a full analysis of this month’s SAP Patch Day, visit the Onapsis Research Labs blog post.
SAP NetWeaver UDDI Server (Services Registry); Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
CVSS v3.0 Base Score: 9.9 / 10
Yes, you’ve read the right the CVSS score is 9.9 this is the first time ever in 2019 SAP has released a HOT News with that score.
Details
UDDI stand for Universal Description Discovery and Integration
The J2EE Engine provides a tool that fully implements the Universal Description Discovery and Integration (UDDI) functions based on the UDDI v2.0 specification. The tool is a Web-based client that you can use for publishing, browsing, and retrieving Web services based on the standard UDDI specification. You publish your Web services and Web service definitions in a public, private, or test registry.
According to the SAP Product Security Team and the Onapsis Research Labs, a remote code execution vulnerability exists in the SAP NetWeaver UDDI Server (Services Registry). Because of this, an attacker can exploit Services Registry potentially enabling them to take complete control of the product.
Impact of the vulnerability is very significant, a threat actor can perform CRUD activities create, read, update, and delete (CRUD) on your SAP applications by injecting code into the working memory which is subsequently executed by the application.
Most of the vulnerabilities fixed by SAP are reported by third-party security researchers. Thanks to the community for their contribution.
More Information about SAP Security Note #2800779 can be found here.
Learn more about the UDDI on the SAP Help Portal.
SAP Business Client, Version - 6.5
CVSS v3.0 Base Score: 9.8 / 10
Details
SAP Business Client is a user interface client that presents a single entry point to different SAP business applications and technologies. SAP Business Client supports single sign-on, so there is no need to login at multiple places to access different applications.
For the first time in SAP Business Client history, starting with version 6.5, SAP has offered a Chromium web browser control based on Chromium Embedded Framework (CEF) as an alternative to Microsoft Internet Explorer. You can now use the browser control Chromium for displaying HTML content within the SAP Business Client. According to the SAP Product Security Team and the Onapsis Research Labs, SAP applications can be vulnerable if the SAP Business Client is running on an outdated Chromium application.
The CVSS score for this vulnerability is high because if the SAP Business Client release is not updated accordingly, this could lead to:
It is also important to note that this OSS notes has been constantly been updated by SAP 5 times in the last one year.
More Information about SAP Security Note #2622660 can be found here.
Learn more about the SAP Business Client on the SAP Help Portal.
SAP Commerce Cloud (virtualjdbc extension), Versions - 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905
CVSS v3.0 Base Score: 9 / 10
Details
SAP Commerce Cloud (previously SAP Hybris Commerce) has modules and accelerators designed for specific B2C and B2B industries, from grocery to education, to insurance and apparel, for easy setup and use.
According to SAP Vulnerabilitie/s exist in Virtualjdbc Extension and Mediaconversion Extension. This would only occur if a unpatched version of the Virtualjdbc or/and Mediaconversion extensions are installed*. To verify if a specific extension is installed, please check the localextensions.xml file in the config directory.
You may find the vulnerable versions under the "Symptom" section of this security note.
*In the case of mediaconversion, the extension must be installed and users must have permissions to use it. To verify if a user or user-group has permissions to use the mediaconversion extension please go to the "Permissions Management" section of the particular employee account or particular user-group and verify if the following contexts are enabled: "Media", "Media Container", "Media Format" (or more specifically "Conversion Media Format").
A threat actor using Code Injection vulnerabilities can perform:
More Information about SAP Security Note #2786035 can be found here.
Learn more about the SAP Business Client on the SAP Help Portal.
SAP NetWeaver Application Server for Java (Administrator System Overview), Versions - 7.30, 7.31, 7.40, 7.50
CVSS v3.0 Base Score: 9 / 10
Details
Server-Side Request Forgery in SAP NetWeaver Application Server for Java
SSRF is very well-known method of attacking vulnerable web application. An attacker can send crafted requests from the back-end server of web application targeting internal systems that are behind firewalls and are not accessible from the external network.
According to SAP an attacker can perform multiple activities if the SAP application is compromised
Many exploitation events are seen shortly after the release of a patch. The dark web buzz begins to pick up with the information provided by SAP Patch Tuesdays. A detailed analysis of the patch helps threat actors immediately take advantage of the previously undisclosed vulnerabilities that remain in unpatched systems.
Organizations should set aside time to deploy security patches, remember, threat actors are not waiting for you. Although the complexity of deploying security patches to production and the change management life cycle in a big enterprise is understandable, it’s equally important that external threat actors are not taking advantage of this loophole. As a recommendation, organizations should have a process for continuous monitoring around SAP vulnerabilities, while at the same time your SAP Basis and security administrators are working on patching the system.
More Information about SAP Security Note #2813811 can be found here.
After a long time, SAP has released 4 HOT NEWS in one month, if your job is tied to securing SAP or enterprise applications, please pay attention to this blog to understand the risks and work on a mitigation.
#1 HotNews SAP Security Note #2800779
Impacted System and Version
SAP NetWeaver UDDI Server (Services Registry); Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
CVSS v3.0 Base Score: 9.9 / 10
Yes, you’ve read the right the CVSS score is 9.9 this is the first time ever in 2019 SAP has released a HOT News with that score.
Details
UDDI stand for Universal Description Discovery and Integration
The J2EE Engine provides a tool that fully implements the Universal Description Discovery and Integration (UDDI) functions based on the UDDI v2.0 specification. The tool is a Web-based client that you can use for publishing, browsing, and retrieving Web services based on the standard UDDI specification. You publish your Web services and Web service definitions in a public, private, or test registry.
According to the SAP Product Security Team and the Onapsis Research Labs, a remote code execution vulnerability exists in the SAP NetWeaver UDDI Server (Services Registry). Because of this, an attacker can exploit Services Registry potentially enabling them to take complete control of the product.
Impact of the vulnerability is very significant, a threat actor can perform CRUD activities create, read, update, and delete (CRUD) on your SAP applications by injecting code into the working memory which is subsequently executed by the application.
Most of the vulnerabilities fixed by SAP are reported by third-party security researchers. Thanks to the community for their contribution.
More Information about SAP Security Note #2800779 can be found here.
Learn more about the UDDI on the SAP Help Portal.
#2 HotNews SAP Security Note #2622660
Impacted System and Version –
SAP Business Client, Version - 6.5
CVSS v3.0 Base Score: 9.8 / 10
Details
SAP Business Client is a user interface client that presents a single entry point to different SAP business applications and technologies. SAP Business Client supports single sign-on, so there is no need to login at multiple places to access different applications.
For the first time in SAP Business Client history, starting with version 6.5, SAP has offered a Chromium web browser control based on Chromium Embedded Framework (CEF) as an alternative to Microsoft Internet Explorer. You can now use the browser control Chromium for displaying HTML content within the SAP Business Client. According to the SAP Product Security Team and the Onapsis Research Labs, SAP applications can be vulnerable if the SAP Business Client is running on an outdated Chromium application.
The CVSS score for this vulnerability is high because if the SAP Business Client release is not updated accordingly, this could lead to:
- Unplanned downtime
- A breach disclosing sensitive Information
- Memory corruption
- System information disclosure or system crash in worst cases
- Vulnerabilities with a direct impact on confidentiality, integrity and availability of the system
- Information being gathered for future attacks, possibly with more severe consequences
It is also important to note that this OSS notes has been constantly been updated by SAP 5 times in the last one year.
More Information about SAP Security Note #2622660 can be found here.
Learn more about the SAP Business Client on the SAP Help Portal.
#3 HotNews SAP Security Note #2786035
Impacted System and Version -
SAP Commerce Cloud (virtualjdbc extension), Versions - 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905
CVSS v3.0 Base Score: 9 / 10
Details
SAP Commerce Cloud (previously SAP Hybris Commerce) has modules and accelerators designed for specific B2C and B2B industries, from grocery to education, to insurance and apparel, for easy setup and use.
According to SAP Vulnerabilitie/s exist in Virtualjdbc Extension and Mediaconversion Extension. This would only occur if a unpatched version of the Virtualjdbc or/and Mediaconversion extensions are installed*. To verify if a specific extension is installed, please check the localextensions.xml file in the config directory.
You may find the vulnerable versions under the "Symptom" section of this security note.
*In the case of mediaconversion, the extension must be installed and users must have permissions to use it. To verify if a user or user-group has permissions to use the mediaconversion extension please go to the "Permissions Management" section of the particular employee account or particular user-group and verify if the following contexts are enabled: "Media", "Media Container", "Media Format" (or more specifically "Conversion Media Format").
A threat actor using Code Injection vulnerabilities can perform:
- Unauthorized execution of commands
- Disclosure of sensitive information
- Denial of Service
More Information about SAP Security Note #2786035 can be found here.
Learn more about the SAP Business Client on the SAP Help Portal.
#4 HotNews SAP Security Note # 2813811
Impacted System and Version –
SAP NetWeaver Application Server for Java (Administrator System Overview), Versions - 7.30, 7.31, 7.40, 7.50
CVSS v3.0 Base Score: 9 / 10
Details
Server-Side Request Forgery in SAP NetWeaver Application Server for Java
SSRF is very well-known method of attacking vulnerable web application. An attacker can send crafted requests from the back-end server of web application targeting internal systems that are behind firewalls and are not accessible from the external network.
According to SAP an attacker can perform multiple activities if the SAP application is compromised
- Scan internal network to determine internal infrastructure
- Information gathering for further exploits/attacks
- Perform a Remote File Inclusion attack
- Retrieve server files (including /etc/password and more).
- Bypass Firewall and force the vulnerable server perform your malicious requests.
Many exploitation events are seen shortly after the release of a patch. The dark web buzz begins to pick up with the information provided by SAP Patch Tuesdays. A detailed analysis of the patch helps threat actors immediately take advantage of the previously undisclosed vulnerabilities that remain in unpatched systems.
Organizations should set aside time to deploy security patches, remember, threat actors are not waiting for you. Although the complexity of deploying security patches to production and the change management life cycle in a big enterprise is understandable, it’s equally important that external threat actors are not taking advantage of this loophole. As a recommendation, organizations should have a process for continuous monitoring around SAP vulnerabilities, while at the same time your SAP Basis and security administrators are working on patching the system.
More Information about SAP Security Note #2813811 can be found here.
