Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.
October 2021 notes
Summary and highlights of the month
The total number of notes/patches has decreased compared to last month. In addition to this drop in the number of total notes, the number of Hot News has decreased, with 7 notes last month compared to 3 in September. On the other hand, it should be noted that the number of high criticality notes decreased from 2 to only 1 this month. As usual, we will leave the medium and low scores unchecked this month, but we will give details of a total of 4 scores (all those with a CVSS of 7 or higher).
We have a total of 17 notes for the whole month, 4 less than last September (14 from Patch Tuesday, 13 new and 1 update, being 5 less than last month).
We have 2 new Hot News, being the total of 3 in this month that stand out for their high CVVS, one of them the recurring update for the SAP Business Client with Chromium. We will also review in detail the total of high notes (those with CVSS greater than or equal to 7), a single new note this month.
- The most critical note of the month (with CVSS 10) would be the update of “Browser Control Chromium Delivered with SAP Business Client (2622660)”.
- Next in criticality (with CVSS 9.8 and 9.1) are 2 releases fixing issues with open source software component versions (the first release) and missing authorization checks in SAP NetWeaver AS ABAP and ABAP Platform (second release).
- From there, we located a high priority score with a CVSS of 7.8 related to “SAP SuccessFactors Mobile Application for Android”. The rest (13) are medium and low level, and we will not look at them in detail.
- This month the most predominant types are “Denial of Service” (3/17 and 3/14 in patch day), “Information Disclosure” and “Cross-Site Scripting” (both with 2/17 and 2/14 in patch day).
In the graph (post October 2021 from SAP) we can see the ranking of the October notes in addition to the evolution and ranking of the last 5 previous months (only the notes of Sec. Tuesday / Patch Day – by SAP):
The full details of the most relevant notes are as follows:
- Update – Security updates for the browser control Google Chromium delivered with SAP Business Client (2622660): It provides a SAP Business Client Patch with the latest tested Chromium fixes. SAP Business Client customers already know that updates of this note always contain important fixes that must be addressed. This note will be modified periodically based on web browser updates by the open source project Chromium. The note priority is based on the highest CVSS score of all the vulnerabilities fixed in the latest browser release. CVSS v3 Base Score: 10 / 10 .
- Potential XML External Entity Injection Vulnerability in SAP Environmental Compliance (3101406): It patches a potential Injection Vulnerability in SAP Environmental Compliance. Functionality Data Import from Excel Template in SAP Environmental Compliance 3.0 uses open source software component versions having vulnerabilities CVE-2020-10683, BDSA-2017-0180, CVE-2021-23926. Consequently this functionality is potentially at risk of XML External Entity Injection attack. To fix that, two open source software component versions are replaced by secure version. Additionally, a new optional API no longer uses the vulnerable open source software component.. CVSS v3 Base Score: 9,8 / 10 (Multiple CVEs).
- Improper Authorization in SAP NetWeaver AS ABAP and ABAP Platform (3097887): It contains a fix to an issue with lack of authorization check in the software logistics system of SAP NetWeaver AS ABAP and ABAP Platform. The issue enables a malicious user to transfer ABAP code artifacts or content, by-passing the established quality gates. By this vulnerability malicious code can reach quality and production systems and may completely compromise systems confidentiality, integrity, and availability. Then, a malicious user with developer and administrator permission may use tools of the software logistics system, for which not necessary authorizations are checked properly. To fix this, the vulnerable report is deleted for future versions and the report is made unavailable with a LEAVE PROGRAM statement by the given correction instruction and Support Packages. CVSS v3 Base Score: 9.1 / 10 (CVE-2021-38178).
- Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices (3077635): It patches a vulnerability that has been identified in SAP SuccessFactors Mobile Application for Android, which allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service, which can lead to denial of service or also lead to phishing attack, that can be used for staging other types of attacks. Several measures have been taken to resolve the identified vulnerability in the most recent software update. This vulnerability impacts users who are using the Android mobile application version released previous to 2018. To fix that, download the latest version of the SAP SuccessFactors Android mobile application so your organization is not at risk of any threats highlighted from this vulnerability. CVSS v3 Base Score: 7.8 / 10 (CVE-2021-40498).
Reference links of the CERT of the INCIBE in relation to the publication of the notes for October:
Other references, from SAP and Onapsis (October):
- SAP Business Client, versión 6.5;
- SAP Business One, versión 10.0;
- SAP BusinessObjects Analysis para OLAP, versión 420 y 430;
- SAP BusinessObjects Business Intelligence Platform, versión 420 y 430;
- SAP Environmental Compliance, versión 3.0;
- SAP NetWeaver:
- Application Server for ABAP (SAP Cloud Print Manager and SAPSprint), versión 7.70, 7.70PI y 7.70BYD;
- AS ABAP and ABAP Platform, versión 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756 y 785;
- Versión 700, 701, 702 y 730;
- SAP SuccessFactors Mobile Application, versiones anteriores a 2018;
- SAPUI5, versión 750, 753 y 754;