Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.
December 2021 notes
Summary and highlights of the month
The total number of notes/patches has increased compared to last month. In addition to this increase in the number of total notes, the number of Hot News also increased, with 1 note last month compared to 4 in December. On the other hand, it is worth mentioning that the number of high criticality notes has increased from 3 to 6 this month. As usual, we will leave the medium and low scores unchecked this month, but we will give details of a total of 10 scores (all those with a CVSS of 7 or higher).
We have a total of 21 notes for the whole month, 10 more than last November (15 from Patch Tuesday, 11 new and 4 updates, being 8 more than last month).
We have 4 Hot News, 2 new and 2 updates, in this month that stand out for their high CVVS. In addition, we will review in detail 6 of the total of 6 high notes (those with CVSS greater than or equal to 7) where this month it stands out that they are all new notes.
- The most critical note of the month (with CVSS 10) would be the update of “Browser Control Chromium Delivered with SAP Business Client (2622660)”.
- On the other hand, we also locate 3 other notes of very high criticality (Hot News), all with a CVSS of 9.9, related to Code Execution, Code Injection and SQL Injection vulnerabilities, affecting SAP Commerce, SAP ABAP Server & ABAP Platform and SAP NZDT Mapping Table Framework, respectively.
- From there, there are 6 notes of high priority, the most relevant with a CVSS of 8.8 being two new notes of SQL Injection and Cross-Site Scripting, which in this case affect SAP Commerce and SAP Knowledge Warehouse. The rest (11) are medium and low level, and we will not see them in detail.
- This month the most predominant type is Missing Authorization Check (5/21 and 1/15 in patch day), followed by Cross-Site Scripting (XSS) (3/21 and 2/15 in patch day).
In the graph (post December 2021 from SAP) we can see the ranking of the December notes in addition to the evolution and ranking of the last 5 previous months (only the notes of Sec. Tuesday / Patch Day – by SAP):
The full details of the most relevant notes are as follows:
- Update – Security updates for the browser control Google Chromium delivered with SAP Business Client (2622660): It provides a SAP Business Client Patch with the latest tested Chromium fixes. SAP Business Client customers already know that updates of this note always contain important fixes that must be addressed. This note will be modified periodically based on web browser updates by the open source project Chromium. The note priority is based on the highest CVSS score of all the vulnerabilities fixed in the latest browser release. CVSS v3 Base Score: 10 / 10 .
- Code Execution vulnerability in SAP Commerce, localization for China (3109577): SAP Commerce, localization for China uses open source software component versions having multiple vulnerabilities as mentioned below. Consequently, this functionality is potentially at risk of code execution attack. The solution would be to update the SAP Commerce to patch 1905.32 or above. If your installation of SAP Commerce, localization for China package is 2001, just download the SP00 patch level 01 for SAP Commerce, localization for China package. Otherwise, upgrade your SAP Commerce, localization for China package to 2001 first. CVSS v3 Base Score: 9.9 / 10 (Multiple CVEs).
- Code Injection vulnerability in SAP ABAP Server & ABAP Platform (Translation Tools) (3119365): This note patches a Code Injection vulnerability, where an attacker with low privileges can exploit the weakness in internally used text extraction reports (Translation Tools) which will enable the execution of arbitrary commands in the background. The attacker could thereby control the behaviour of the application compromising all its data. To fix the issue it is necessary to implement the note so coding is deactivated and there would be no impact on existing funcionality. CVSS v3 Base Score: 9.9 / 10 (CVE-2021-44231).
- Update – SQL Injection vulnerability in SAP NZDT Mapping Table Framework (3089831): SAP has made minor textual change in the Symptom section. There have not been any changes done which require customer action. This note patches SQL Injection vulnerabilities in RFC-enabled function modules of the Near Zero Downtime (NZDT) Mapping Table framework used during system upgrades and migrations. An improper input sanitization allows an authenticated user with certain specific privileges to remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity and availability of the system. This note provides a patch for this vulnerability which leads to a complete or partial deactivation of the affected function modules. As a workaround, customers with activated Unified Connectivity (UCON) runtime checks can also deactivate the affected function modules manually. Important: Independent of which method is used to patch the vulnerabilities, they both result in making the product SAP Test Data Migration Server unusable. Please follow the steps described in SAP Note 3094474 in order to re-enable “SAP Test Data Migration Server”. CVSS v3 Base Score: 9.9 / 10 (CVE-2021-38176]).
- SQL Injection vulnerability in SAP Commerce (3114134): If SAP Commerce is configured to use an Oracle database and if a query is created using the flexible search java api with a parametrized “in” clause, SAP Commerce allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parametrized “in” clause accepts more than 1000 values. The problem can affect any kind of extension using the flexible search api with an “in” clause with partially untrusted input and potentially some internal components of the platform when using an Oracle database. SAP Commerce addresses this vulnerability by properly escaping any value passed to parametrized “in” clause when handling flexible search queries having more than 1000 values used in this clause. CVSS v3 Base Score: 8.8 / 10. (CVE-2021-42064)
- Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse (3102769): A security vulnerability has been discovered in the SAP Knowledge Warehouse (SAP KW). The usage of one SAP KW component within a Web browser enables unauthorized attackers to conduct XSS attacks, which might lead to disclose sensitive data. The displaying component of SAP KW did not sufficiently validate and encode input parameters, resulting in a reflected cross-site scripting issue. Important: The security breach might also occur if you do not actively use the displaying component of SAP KW at all. Simply the existence of the component on your landscape is sufficient. To solve the issue, please implement the Support Packages and Patches referenced by this SAP Note, so the parameters will be properly validated and encoded to prevent a successful XSS attack. CVSS v3 Base Score: 8.8 / 10. (CVE-2021-42063)
- Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP (3123196): Two methods of a utility class in SAP NetWeaver AS ABAP allows an attacker with high privileges and has direct access to SAP System, to inject code when executing with transaction (SE24 – Class Builder). This could allow execution of arbitrary commands on the operating system, that could highly impact the Confidentiality, Integrity and Availability of the system. The issue appears if the user has permissions to use SE24/SE80 and execute development objects (authorization object = S_DEVELOP with fields OBJTYPE = CLAS and ACTVT = 16 ‘Execute’), and the compromised utility class is exclusively used for license bound SAP tool Post-Copy Automation (PCA) and has no impact on standard functionality. With the fix the functionality is completely removed and directly integrated into the class where it is executed without the possibility to pass any parameter. There are two options to fix the issue: the first one would be that no action is needed when the user has no permission to execute development objects (authorization object = S_DEVELOP with fields OBJTYPE = CLAS and ACTVT = 16 ‘Execute’) through transactions SE24/SE80, the other one would be to implement the note with SNOTE to remove the coding. As the functionality is used for Post-Copy Automation (PCA) which is integated into SAP Basis for older releases/sps some dependent notes have to be implemented. CVSS v3 Base Score: 8.4 / 10. (CVE-2021-44235)
- Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices (3077635): A vulnerability has been identified in SAP SuccessFactors Mobile Application for Android, which allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, which can lead to denial of service. The vulnerability is related to Android implementation methods that are widely used across Android mobile applications, and such methods are embedded into the SAP SuccessFactors mobile application. These Android methods begin executing once the user accesses their profile on the mobile application. While executing, it can also pick up the activities from other Android applications that are running in the background of the user’s device and are using the same types of methods in the application. Such vulnerability can also lead to phishing attack that can be used for staging other types of attacks. This vulnerability impacts users who are using the Android mobile application version released previous to 6.32.1. To fix the issue, download the latest version of the SAP SuccessFactors Android mobile application so the organization is not at risk of any threats highlighted from this vulnerability. CVSS v3 Base Score: 7.8 / 10 (CVE-2021-40498).
- Directory Traversal vulnerability in SAF-T Framework (3124094): SAF-T Framework Transaction SAFTN_G allows an attacker to exploit insufficient validation of path information provided by normal user, leading to full server directory access. The attacker can see the whole filesystem structure but cannot overwrite, delete, or corrupt arbitrary files on the server. To fix this issue, the F4 search help of field File Name in transaction SAFTN_G will be removed. Nevertheless, there are still other three possibilities for end-users to enter the file name. CVSS v3 Base Score: 7.7 / 10 (CVE-2021-44232).
- Denial of service (DOS) in SAP Commerce (3113593): The library jsoup used in SAP Commerce may be vulnerable to DOS attacks. jsoup is used to sanitize various product related metadata in b2caccelerator. A user with write access to product metadata could exploit this vulnerability. The impacts of the vulnerability would be long response delays and service interruptions, thus degrading the service quality experienced by legitimate users and a direct impact on availability. This vulnerability affects any SAP Commerce installation using the B2C Accelerator. SAP Commerce addresses this vulnerability by upgrading jsoup, which does not contain the vulnerability. The Software Downloads of these or later patches are available in the SAP Support Portal. As a workaround (not permanent solution), to minimize the impact, restrictions to product related field length could be implemented to limit the size of inputs sent to jsoup. CVSS v3 Base Score: 7.5 / 10.
Reference links of the CERT of the INCIBE in relation to the publication of the notes for December:
Other references, from SAP and Onapsis (December):
- SAF-T Framework, versiones SAP_FIN 617, 618, 720, 730, SAP_APPL 600, 602, 603, 604, 605, 606, S4CORE 102, 103, 104 y 105;
- SAP 3D Visual Enterprise Viewer, versión 9;
- SAP ABAP Server & ABAP Platform (Translation Tools), versiones 701, 740,750,751,752,753,754,755,756 y 804;
- SAP Business Client, versión 6.5;
- SAP BusinessObjects Business Intelligence Platform, versión 420;
- SAP Commerce, localization for China, versión 2001;
- SAP Commerce, versiones 1905, 2005, 2105 y 2011;
- SAP GRC Access Control, versiones V1100_700, V1100_731 y V1200_750.
- SAP Knowledge Warehouse, versiones 7.30, 7.31, 7.40 y 7.50;
- SAP Landscape Transformation, versión 2.0;
- SAP LT Replication Server, versiones 2.0 y 3.0;
- SAP LTRS for S/4HANA, versión 1.0;
- SAP NetWeaver AS ABAP, versiones 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755 y 756;
- SAP S/4HANA, versiones 1511, 1610, 1709, 1809, 1909, 2020 y 2021;
- SAP SuccessFactors Mobile Application (para Android), versiones <2108;
- SAP Test Data Migration Server, versión 4.0;
- SAP UI 700, versiones 2.0;
- SAP UI, versiones 7.5, 7.51, 7.52, 7.53 y 7.54;
- SAP Web Dispatcher and Internet Communication Manager, versiones KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82 y 7.83;