Notas de Seguridad SAP, Abril 2022

Inprosec a través de sus servicios, como el SAP Security Assessment, ayuda a sus clientes a mejorar los niveles de seguridad de sus sistemas SAP.

Notas Abril 2022

Resumen y highlights del Mes

El número total de notas/parches ha aumentado con respecto al último mes. Además de este aumento en el número de notas totales, el número de Hot News también se ve reducido, siendo 4 las que encontrábamos el mes pasado con respecto a las 8 existentes en Abril. Por otro lado, cabe destacar, que aumentan el número de notas de criticidad alta pasando de 1 a 7 en este mes. Como siempre dejaremos las notas medias y bajas sin revisar en este mes, pero daremos detalle de un total de 15 notas (todas las que tengan un CVSS de 7 o mayor).

Tenemos un total de 35 notas para todo el mes, 18 más que el pasado Marzo (33 del patch Tuesday, 23 nuevas y 10 actualizaciones, siendo 17 más que el pasado mes).

Tenemos 8 notas críticas (Hot News) ), 4 nuevas y 4 actualizaciones, en este mes, que destacan por su alto CVVS. Además revisaremos en detalle 7 del total de 7 notas altas (aquellas de CVSS mayor o igual a 7), la cual este mes se tratan de 3 actualizaciones y 4 notas nuevas.

  • Las notas más críticas del mes (con CVSS 10) son 2. Por un lado la nota habitual de Google Chromium y, por otro lado, la otra nota con este CVSS afectaría a SAP NetWeaver, SAP Content Server y SAP Web Dispatcher.
  • La siguiente en criticidad (CVSS 9.9) es una nota de “Code Injection Vulnerability” que afecta a SAP Manufacturing Integration and Intelligence.
  • A partir de ahí, localizamos 4 notas de criticidad muy alta (CVSS 9.8), todas relacionadas con “Remote Code Execution” y que estarían afectando a Spring Framework, SAP HANA Extended Application Services, SAP Customer Checkout y SAP Powerdesigner Web Portal.
  • Por último en relación con Hot News, tenemos una última con criticidad (CVSS 9.1), que sería del tipo “Code injection vulnerability” y estaría relacionada conSAP Manufacturing Integration and Intelligence.
  • En relación con las notas de nivel alto, habría un total de 7 entre las que destacarían una con CVSS 8,9 y otras dos con 8,2, relacionadas con HTTP Request Smuggling, Cross-Site Scripting (XSS) y CSRF token visible. El resto (18) son de nivel medio y bajo, y no las veremos en detalle.
  • Este mes los tipos de notas más predominantes son “Cross-Site Scripting (XSS)”, “Remote Code Injection” “Information Disclosure” y “Denial of Service”, todos con 4/33 y 4/35 en patch day.

En la gráfica (post Abril 2022 de SAP) podemos ver la clasificación de las notas de Abril además de la evolución y clasificación de los últimos 5 meses anteriores (solo las notas del Sec. Tuesday / Patch Day – by SAP):

Detalle completo

El detalle completo de las notas más relevantes es el siguiente (en inglés):

  1. Update – Security updates for the browser control Google Chromium delivered with SAP Business Client (2622660): This security note addresses multiple vulnerabilities in the 3rd party web browser control Chromium, which can be used within SAP Business Client. This note will be modified periodically based on web browser updates by the open source project Chromium. The note priority is based on the highest CVSS score of all the vulnerabilities fixed in the latest browser release. If the SAP Business Client release is not updated to the latest patch level, displaying web pages in SAP Business Client via this open source browser control might lead to different vulnerabilities like memory corruption, Information Disclosure and the like. The solution will be to update the SAP Business Client patch to the newest one, which contains the most current stable major release of the Chromium browser control, which passed the SAP internal quality measurements of SAP Business Client. CVSS v3 Base Score: 10 / 10 (Multiple CVE´s).
  2. Update – Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher (3123396): This security note will be related to the vulnerability of SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher for request smuggling and request concatenation. Due to that, an unauthenticated attacker can prepend a victim’s request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack  could result in complete compromise of Confidentiality, Integrity and Availability of the system. The correction requires patching both SAP Web Dispatcher and SAP Kernel, where the patch solves the security issue completely. CVSS v3 Base Score: 10 / 10 (CVE-2022-22536).
  3. Update – Code injection vulnerability in SAP Manufacturing Integration and Intelligence (3022622): This security note is related to SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment). An attacker can intercept a request to the server, inject malicious JSP code in the request and forward to server. When this dashboard is opened by users having atleast SAP_XMII_Developer role, malicious content in the dashboard gets executed, leading to remote code execution in the server, which allows privilege escalation. The update indicates that this solution is now obsolete and for the complete fix please implement the SAP security note 3158613 . CVSS v3 Base Score: 9,9 / 10 (CVE-2021-21480).
  4. Central Security Note for Remote Code Execution vulnerability associated with Spring Framework (3170990): This security note will be the central document to consolidate all SAP Security Notes released for the Remote Code Execution vulnerability associated with Spring Framework (CVE-2022-22965).. CVSS v3 Base Score: 9,8 / 10 (CVE-2022-22965).
  5. Remote Code Execution vulnerability associated with Spring Framework used in SAP HANA Extended Application Services (3189428): SAP HANA Extended Application Services uses a version of Spring Framework which has Remote Code Execution vulnerability (CVE-2022-22965). The solution would be to update SAP HANA XS, advanced model to version 1.0.145 or greater. CVSS v3 Base Score: 9,8 / 10 (CVE-2022-22965).
  6. Remote Code Execution vulnerability associated with Spring Framework used in SAP Customer Checkout (3187290): SAP Customer Checkout uses a version of Spring Framework which has Remote Code Execution vulnerability (CVE-2022-22965). To prevent exploiting this vulnerability, update to one of the following versions mentioned below which uses a newer version of Spring Framework:SAP Customer Checkout 2.0 FP13 PL01 or higher, SAP Customer Checkout 2.0 FP12 PL10 or higher, SAP Customer Checkout 2.0 FP11 PL09 or higher . CVSS v3 Base Score: 9.8 / 10 (CVE-2022-22965).
  7. Remote Code Execution vulnerability associated with Spring Framework used in PowerDesigner Web (upto including 16.7 SP05 PL01) (3189429): PowerDesigner Web uses a version of Spring Framework which has Remote Code Execution vulnerability (CVE-2022-22965).. CVSS v3 Base Score: 9,8 / 10 (CVE-2022-22965).
  8. Update – Code injection vulnerability in SAP Manufacturing Integration and Intelligence (3158613): This security note is an update to the security note 3022622. Fix provided in the security note 3022622 is no longer valid. SAP MII allows users to create dashboards and save them as JSP through the SSCE(Self Service Composition Environment). An attacker can intercept a request to the server, inject malicious JSP code in the request and forward to server. When this dashboard is opened by users having at least SAP_XMII_Developer role, malicious content in the dashboard gets executed, leading to remote code execution in the server, which allows privilege escalation. Virus Scan interface has been implemented for all file upload/import scenarios within MII. A NetWeaver Administrator should configure and enable Virus Scan profile «XMII_VSI» which will then be used by MII. MII will support BLOCKEXTENSIONS and BLOCKMIMETYPES parameters provided by the profile. Using the virus scanner profile the NetWeaver Administrator can restrict the jsp creation by a XMII developer. . CVSS v3 Base Score: 9.1 / 10 (CVE-2021-21480).
  9. Update – HTTP Request Smuggling in SAP Web Dispatcher (3080567): An unauthenticated attacker can submit a malicious crafted request over a network to a front-end server which may, over a number of attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages. This can result in the back-end server executing a malicious payload which can be used to read or modify any information on the server or consume server resources making it temporarily unavailable. Update your SAP Web Dispatcher. This correction is delivered with the kernel archive SAPWEBDISP.SAR. . CVSS v3 Base Score: 8.9 / 10 (CVE-2021-38162).
  10. CSRF token visible in one of the URL in SAP Business Intelligence Platform. (3130497): A CSRF token visible in the URL may possible lead to information disclosure vulnerability. This issue is fixed in the patches listed in the «Support Packages & Patches» section in the note. CVSS v3 Base Score: 8.2 / 10 (CVE-2022-27671).
  11. Update – Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad (3149805): It patches a Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad. Our research team detected that SAP Fiori launchpad allows an unauthenticated attacker to manipulate the SAP-theme URL parameter —  and inject HTML code — and create a link over the network for a user to click on. Once the link is clicked, successful exploitation allows the attacker to hijack user privileges that can be used to exfiltrate data and craft a CSRF attack to manipulate data. This can limit the application’s confidentiality and pose risks to its integrity, as well as increase the likelihood of it being completely compromised. CVSS v3 Base Score: 8.2 / 10 (CVE-2022-26101).
  12. Update – HTTP Request Smuggling in SAP NetWeaver Application Server Java (3123427): SAP NetWeaver Application Server Java is vulnerable to HTTP request smuggling. Due to this vulnerability, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling, which could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim’s logon session. Besides, due to improper error handling, an attacker could submit multiple HTTP server requests resulting in errors, such that it consumes the memory buffer, which could result in system shutdown rendering the system unavailable. These vulnerabilities have been fixed by proper memory handling for HTTP pipeline requests. This correction is contained in all patch levels that are equal to or higher than the patch level listed in the «Support Package Patches» section of this SAP Note for the desired kernel release. CVSS v3 Base Score: 8.1 / 10 (CVE-2022-22532).
  13. Privilege escalation vulnerability in Apache Tomcat server component of SAP Commerce (3155609): SAP Commerce contains an Apache Tomcat application server that has a known vulnerability (CVE-2022-23181). Configuring Tomcat to use FileStore to persist sessions can expose your SAP Commerce system to a time of check, time of use vulnerability that allows attackers to perform actions with the privileges of the user that the Tomcat process is using. The following SAP Commerce patch releases contain the upgraded Tomcat:SAP Commerce Cloud Patch Release 2105.10, SAP Commerce Cloud Patch Release 2011.20, SAP Commerce Cloud Patch Release 2005.25, SAP Commerce Cloud Patch Release 1905.41 . CVSS v3 Base Score: 7.5 / 10 (CVE-2022-28772).
  14. Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager) (3111311): By overlong input values an attacker may force overwrite of the internal program stack in SAP Web Dispatcher or Internet Communication Manger, which makes these programs unavailable. Use SAPWEBDISP.SAR to patch standalone SAP Web Dispatcher. Use dw.sar or SAPEXE.SAR and SAPEXEDB.SAR to patch both ICM and embedded SAP Web Dispatcher. The correction is contained in all patch levels that are equal to or higher than the patch level listed in the «Support Package Patches» section of this SAP Note for the desired kernel release.. CVSS v3 Base Score: 7.0 / 10 (CVE-2022-28772).

Enlaces de referencia

Enlaces de referencia del CERT del INCIBE en relación a la publicación de las notas para el mes de abril:

https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-sap-abril-2022

Otras referencias, en inglés de SAP y Onapsis (abril):

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

https://onapsis.com/blog/sap-security-patch-day-april-2022-focus-spring4shell-and-sap-mii

El listado completo de los sistemas/componentes afectados es el siguiente:

  • Fiori Launchpad, versiones 754, 755 y 756;
  • SAP 3D Visual Enterprise Viewer, versión 9;
  • SAP Business Client, versión 6.5;
  • SAP BusinessObjects Business Intelligence Platform (BI Workspace), versión 420;
  • SAP BusinessObjects Business Intelligence Platform, versiones 420 y 430;
  • SAP BusinessObjects Enterprise (Central Management Server), versiones 420 y 430;
  • SAP Commerce, versiones 1905, 2005, 2105 y 2011;
  • SAP Content Server, versión 7.53;
  • SAP Customer Checkout, versión 2.0;
  • SAP Customer Checkout_SVR, versión 2.0;
  • SAP Focused Run (Simple Diagnostics Agent), versión 1.0;
  • SAP HANA Extended Application Services, versión 1;
  • SAP Innovation Management, versión 2;
  • SAP Manufacturing Integration and Intelligence, versiones 15.1, 15.2, 15.3 y 15.4;
  • SAP NetWeaver:
    • ABAP Server and ABAP Platform, versiones 740, 750 y 787;
    • Application Server for Java, versión 7.50;
    • Application Server Java, versiones KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49 y 7.53;
    • Enterprise Portal, versiones 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 y 7.50;
    • EP Web Page Composer, versiones 7.20, 7.30, 7.31, 7.40 y 7.50;
    • Internet Communication Manager, versiones KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85 y 7.86;
    • SAP NetWeaver and ABAP Platform, versiones KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT y 7.49;
    • SAP NetWeaver Application Server ABAP and ABAP Platform, versiones 700, 710, 711, 730, 731, 740 y 750-756;
    • SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel), versiones KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT y 7.49;
  • SAP SQL Anywhere Server, versión 17.0;
  • SAP Web Dispatcher, versiones 7.22, 7.22EXT, 7.49, 7.53, 7.77, 7.81, 7.83, 7.85, 7.86 y 7.87;
  • SAPS/4HANA(Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer), versiones 104, 105 y 106;
  • SAPUI5 (vbm library), versiones 750, 753, 754, 755 y 756;
  • SAPUI5, versiones: 750, 753, 754, 755, 756 y 200.

¿Te ha gustado?

¡Compártelo en redes sociales!

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Rellena este campo
Rellena este campo
Por favor, introduce una dirección de correo electrónico válida.
Tienes que aprobar los términos para continuar

Categorías

Calendario de entradas

Nuestros servicios

keyboard_arrow_up