SAP Security Notes – December 2021

On the 14th of December 2021, the last Patch Day of the year, we saw the release of 12 new Security Notes.

There were 4 updates to previously released Patch Day Security Notes.

Notes by severity

Highlights

On December Patch Day SAP presents 9 high-severity Notes with 4 of them rated as HotNews. As a part of the year’s conclusion, let’s take a look at them one by one:

Open source component Apache Log4j2 which is used in the SAP HANA XS model was proven of containing a severe security bug. This security issue was explained in 3130698 SAP Security Note and correspondingly assigned a CVSS Score of 10 – Remediating log4j CVE-2021-44228 vulnerability in XS Advanced Platform and applications. The bug has proven to be one of the most dangerous over the last several years of cybersecurity practice. The solution steps must be tracked and applied immediately: The potential attacker can control log messages or log message parameters and through them execute arbitrary code downloaded from LDAP servers. Several versions of JNDI functions used in the configuration, log messages and parameters do not protect against such activity. Our experts highly recommend tracking the solutions and mitigation steps of the Note mentioned. The 3131258 Security Note contains further instructions. More updates are expected for these Notes, so it is essential to keep an eye on the progress, even though it was proven that a certain number of products related to Log4j are not affected.

The update corrections for this Patch Day which we will cover here are rated with a high priority CVSS Score of 10 and 9.9 correspondingly. Firstly, Security Note 2622660 – Security updates for the browser control Google Chromium delivered with SAP Business Client. The usual update consists of more than 60 fixes, many of which are considered critical for SAP Business Client. Secondly, Security Note 3089831 – SQL Injection vulnerability in SAP NZDT Mapping Table Framework. The previous Note update took place in September 2021, however, it is indicated that no customer actions are required for this particular one.

3109577, The next Security Note to explore, – Code Execution vulnerability in SAP Commerce, localization for China with CVSS Score of 9.9, covers the vulnerabilities of open source software component versions: these allow the opportunity of code execution attacks. Solution and several workarounds are presented. Another 3113593 Security Note – Denial of service (DOS) in SAP Commerce – also covers the SAP Commerce vulnerability mitigation steps. Library jsoup could become unavailable after the DoS attack, which possibility is eliminated with the presented solution.

Another HotNews Security Note rated with a CVSS Score of 9.9 is 3119365 – Code Injection vulnerability in SAP ABAP Server & ABAP Platform (Translation Tools). After the breach, the attacker could control the whole behavior of the Platform application. Nevertheless, the solution is given to secure your text extraction reports. It will be good to say that the solution is expected to cause no impact on other existing functionality.

Further list of Security Notes is dedicated to various attack vulnerability mitigations and rated as highly-prioritized with a CVSS Score in the range of 8.8 to 7.5. Let us guide you from up to the bottom.
3114134 – SQL Injection vulnerability in SAP Commerce – the attacker can execute crafted database queries if the parametrized “in” clause accepts more than 1000 values.
3102769 – Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse – XSS attack conduction is possible through the usage of one SAP KW component within a Web browser.
3123196 – Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP –  Several methods of utility classes allow an attacker to inject code when executing a certain transaction.
3124094 – Directory Traversal vulnerability in SAF-T Framework – an attacker could acquire full server dictionary access through performing a certain transaction, however, with read-only possibilities.

Summary