Important Patches for IS-OIL, Solution Manager, Web Dispatcher, and ICM
Highlights of July SAP Security Notes analysis include:
- July Summary – Eighteen new and updated SAP security patches released, including two HotNews Notes and seven High Priority Notes.
- HotNews for IS-OIL – OS Command Injection vulnerability allows complete system compromise
- Onapsis Research Labs Collaboration – Onapsis Research Labs contributed in fixing eight vulnerabilities, covered by seven SAP Security Notes. This includes one HotNews vulnerability in IS-OIL and four High Priority Notes affecting SAP SolutionManager, SAP Web Dispatcher, and SAP ICM.
SAP has published eighteen new and updated Security Notes on its July Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes two HotNews Notes and seven High Priority Notes.
One of the two HotNews Notes is the regularly recurring SAP Security Note #2622660 that provides an update for SAP Business Client, including the latest supported Chromium patches. SAP Business Client now supports Chromium version 114.0.5735.134 which fixes fifty-six vulnerabilities in total, including two Critical and thirty-five High Priority vulnerabilities. The maximum CVSS value of all fixed vulnerabilities is 9.6.
One of the seven HotNews Notes, SAP Security Note #3324285, contains only a minor text update in its solution section.
The New HotNews Notes in Detail
The Onapsis Research Labs (ORL) contributed to patching a critical HotNews vulnerability in SAP IS-OIL. SAP Security Note #3350297, tagged with a CVSS score of 9.1, allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter of a vulnerable transaction and program. The included function module that processes the parameter value is patched with the SAP Note and contains an appropriate input validation. Patching is strongly recommended since a successful exploit of this vulnerability has a high impact on confidentiality, integrity, and availability of the affected SAP system.
High Priority SAP Security Notes
In addition to the only new HotNews Note, the ORL also contributed to patching four of the seven High Priorities Notes. Although these notes have a lower CVSS score than HotNews Note #3350297, they can be considered more critical since they affect almost all SAP customers.
The type of attacks and exploits that are related to Note #3233899 belong to the “HTTP Request desynchronization family”. One technique of this family is called Response Smuggling and was presented by Onapsis in 2021 at the DEFCON29 conference. In early 2022, the ORL detected and helped SAP in patching the first vulnerabilities in SAP ICM, known as ICMAD, that could be exploited using Response Smuggling techniques.
The newly found vulnerability related to this note allows for two attack scenarios to occur. Both scenarios allow an unauthenticated attacker to submit a maliciously crafted request over a network to a front-end server. This action, may, over a number of attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages, resulting in execution of malicious payloads. While one scenario only impacts the system’s availability, the second one also impacts its confidentiality.
SAP Security Note #3340735, tagged with a CVSS score of 7.7, patches a Memory Corruption vulnerability in SAP ICM and SAP Web Dispatcher. The vulnerability can be exploited by an unauthenticated attacker through logical errors in memory management. Keeping the ICM and/or SAP Web Dispatcher unpatched can lead to low impact on confidentiality as well as high impact on the integrity and availability of the system.
Important Note: Only the HTTP/2 protocol is affected by SAP Security Notes #3233899 and #3340735. HTTP/1 is not affected. The following table provides information about HTTP/2 support of the different scenarios and the default settings:
|#||Scenario||Version||HTTP/2 supported||HTTP/2 enabled by default|
|1||Standalone/Embedded SAP Web Dispatcher||<= 7.45
|2||ICM in SAP NetWeaver AS ABAP||<= 7.45
|3||ICM in SAP NetWeaver AS Java||All||–||–|
|4||SAP Web Dispatcher in XS Classic||X||–|
|5||SAP Web Dispatcher in XS Advanced||X||–|
ICM in SAP NW AS ABAP is NOT affected, if a patched SAP Web Dispatcher is installed in front of the system and all traffic passes through this SAP Web Dispatcher. In addition, ICM in SAP NW AS ABAP is only vulnerable to #3233899, if there is a third-party reverse proxy or load balancer that supports the HTTP/2 protocol in front of the system. It is NOT affected if it is operated behind a simple TCP load balancer.
The default can be overwritten by explicitly setting parameter icm/HTTP/support_http2 to TRUE or FALSE in the instance or default profile (scenario 1, 2), in webdispatcher.ini (scenario 4) or /hana/shared/<SID>/xs/controller_data/controller/router/webdispatcher/conf/sapwebdisp.template (scenario 5).
SAP Security Notes #3348145 and #3352058, both tagged with a CVSS score of 7.2, affectSAP Solution Manager (Diagnostics agent). Both vulnerabilities were patched in cooperation with our ORL team. SAP Security Note #3348145 patches a vulnerability allowing an attacker to manipulate headers of client requests. This causes the SAP Diagnostics Agent to serve poisoned content to the server resulting in limited impact on confidentiality and availability of the application.
SAP Security Note #3352058 solves an Unauthenticated Blind SSRF vulnerability in the Diagnostics agent. The vulnerability allows an unauthenticated attacker to blindly execute HTTP requests. Unlike #3348145 , a successful exploitation can also cause limited impact on other applications the Diagnostics Agent can reach.
High Priority Note #3331376, tagged with a CVSS score of 8.7, patches a Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON). The patch deactivates a report that did not apply appropriate authorization checks and input validations of provided parameters. Unpatched, an attacker can traverse system directories and overwrite some OS files leading to system compromise. A simple workaround can be applied by deleting the vulnerable report. The affected report can be retrieved by checking the note’s correction instructions.
SAP Security Note #3331029, tagged with a CVSS score of 7.8, affects SAP SQL Anywhere. The note patches a Denial of Service vulnerability allowing a low privileged attacker with local system access to write to shared memory objects. Doing so, they can overwrite sensitive data in the affected shared memory object or prevent legitimate users from accessing the service.
Further Contribution of the Onapsis Research Labs
The Onapsis Research Labs contributed to patching a Log Injection vulnerability in SAP NetWeaver AS Java. An unauthenticated attacker could use crafted requests to modify a system log with low impact on the system’s integrity. SAP Security Note #3324732, tagged with a CVSS score of 5.3, provides the corresponding patch.
Another Log Injection vulnerability was identified by the ORL in a remote-enabled function module in SAP ERP Defense Forces and Public Security. It allows an authenticated attacker with admin privileges to modify the content of the syslog data and cause a complete compromise of the application’s integrity. SAP Security Note #3351410, tagged with a CVSS score of 4.9, patches the vulnerability by deactivating the source code of the affected function module.
Summary and Conclusion
With eighteen new and updated SAP Security Notes, including two HotNews Notes and seven High Priority Notes, SAP’s July Patch Day represents an average Patch Day. The Onapsis Research Labs has once again significantly contributed to making the SAP universe a little bit safer. The continuous research of our team resulted in one HotNews Note, four High Priority Notes and 2 Medium Priority Notes.
|3352058||New||[CVE-2023-36925] Unauthenticated blind SSRF in SAP Solution Manager (Diagnostics agent)
|3348145||New||[CVE-2023-36921] Header Injection in SAP Solution Manager (Diagnostic Agent)
|3351410||New||[CVE-2023-36924] Log Injection vulnerability in SAP ERP Defense Forces and Public Security
|3088078||New||[CVE-2023-33992] Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA
|3324732||New||[CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer)
|3350297||New||[CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL)
|3318850||New||[CVE-2023-35874] Improper authentication vulnerability in SAP NetWeaver AS ABAP and ABAP Platform
|3343564||New||[CVE-2023-35872] Missing Authentication check in SAP NetWeaver Process Integration (Message Display Tool)
|3343547||New||[CVE-2023-35873] Missing Authentication check in SAP NetWeaver Process Integration (Runtime Workbench)
|3331029||New||[CVE-2023-33990] Denial of service (DOS) vulnerability in SAP SQL Anywhere
|3326769||New||[Multiple CVEs] Multiple Vulnerabilities in SAP Enable Now
|3331376||New||[CVE-2023-33989] Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON)
|3320702||New||[CVE-2023-36917] Password Change rate limit bypass in SAP BusinessObjects Business Intelligence Platform
|3340735||New||[CVE-2023-35871] Memory Corruption vulnerability in SAP Web Dispatcher
|3233899||New||[CVE-2023-33987] Request smuggling and request concatenation vulnerability in SAP Web Dispatcher
|2622660||Update||Security updates for the browser control Google Chromium delivered with SAP Business Client
|3341211||New||[CVE-2023-35870] Improper Access Control in SAP S/4HANA (Manage Journal Entry Template)
|3324285||Update||[CVE-2023-33991] Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management)
Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, check out our previous Patch Day blogs
Sie haben Fragen? Ihr Ansprechpartner für D/A/CH
Do you have any questions? Your contact person for D/A/CH