SAP Security Notes - December 2021 - Safe O'Clock

SAP Security Notes – December 2021

December 14, 2021

On the 14th of December 2021, the last Patch Day of the year, we saw the release of 12 new Security Notes.

There were 4 updates to previously released Patch Day Security Notes.

Notes by severity

HotNews 5
Correction with high priority 5
Correction with medium priority 5
Correction with low priority 1

Highlights

On December Patch Day SAP presents 9 high-severity Notes with 4 of them rated as HotNews. As a part of the year’s conclusion, let’s take a look at them one by one:

Open source component Apache Log4j2 which is used in the SAP HANA XS model was proven of containing a severe security bug. This security issue was explained in 3130698 SAP Security Note and correspondingly assigned a CVSS Score of 10 – Remediating log4j CVE-2021-44228 vulnerability in XS Advanced Platform and applications. The bug has proven to be one of the most dangerous over the last several years of cybersecurity practice. The solution steps must be tracked and applied immediately: The potential attacker can control log messages or log message parameters and through them execute arbitrary code downloaded from LDAP servers. Several versions of JNDI functions used in the configuration, log messages and parameters do not protect against such activity. Our experts highly recommend tracking the solutions and mitigation steps of the Note mentioned. The 3131258 Security Note contains further instructions. More updates are expected for these Notes, so it is essential to keep an eye on the progress, even though it was proven that a certain number of products related to Log4j are not affected.

The update corrections for this Patch Day which we will cover here are rated with a high priority CVSS Score of 10 and 9.9 correspondingly. Firstly, Security Note 2622660Security updates for the browser control Google Chromium delivered with SAP Business Client. The usual update consists of more than 60 fixes, many of which are considered critical for SAP Business Client. Secondly, Security Note 3089831SQL Injection vulnerability in SAP NZDT Mapping Table Framework. The previous Note update took place in September 2021, however, it is indicated that no customer actions are required for this particular one.

3109577, The next Security Note to explore, – Code Execution vulnerability in SAP Commerce, localization for China with CVSS Score of 9.9, covers the vulnerabilities of open source software component versions: these allow the opportunity of code execution attacks. Solution and several workarounds are presented. Another 3113593 Security Note – Denial of service (DOS) in SAP Commerce – also covers the SAP Commerce vulnerability mitigation steps. Library jsoup could become unavailable after the DoS attack, which possibility is eliminated with the presented solution.

Another HotNews Security Note rated with a CVSS Score of 9.9 is 3119365Code Injection vulnerability in SAP ABAP Server & ABAP Platform (Translation Tools). After the breach, the attacker could control the whole behavior of the Platform application. Nevertheless, the solution is given to secure your text extraction reports. It will be good to say that the solution is expected to cause no impact on other existing functionality.

Further list of Security Notes is dedicated to various attack vulnerability mitigations and rated as highly-prioritized with a CVSS Score in the range of 8.8 to 7.5. Let us guide you from up to the bottom.
3114134SQL Injection vulnerability in SAP Commerce – the attacker can execute crafted database queries if the parametrized “in” clause accepts more than 1000 values.
3102769Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse XSS attack conduction is possible through the usage of one SAP KW component within a Web browser.
3123196Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP –  Several methods of utility classes allow an attacker to inject code when executing a certain transaction.
3124094Directory Traversal vulnerability in SAF-T Framework – an attacker could acquire full server dictionary access through performing a certain transaction, however, with read-only possibilities.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
BC-XS-RT 3130698 Remediating log4j CVE-2021-44228 vulnerability in XS Advanced Platform and applications HotNews 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CEC-COM-CPS-WEB-CAI 3109577 Code Execution vulnerability in SAP Commerce, localization for China HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-DOC-TTL 3119365 [CVE-2021-44231] Code Injection vulnerability in SAP ABAP Server & ABAP Platform (Translation Tools) HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-UPG-NZ 3089831 [CVE-2021-38176] SQL Injection vulnerability in SAP NZDT Mapping Table Framework HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CEC-COM-CPS-COR 3114134 [CVE-2021-42064] SQL Injection vulnerability in SAP Commerce high 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KM-KW-HTA 3102769 [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse high 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
BC-INS-TC-CNT 3123196 [CVE-2021-44235] Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP high 8.4 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
FI-LOC-SAF 3124094 [CVE-2021-44232] Directory Traversal vulnerability in SAF-T Framework high 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CEC-COM-CPS-COR 3113593 Denial of service (DOS) in SAP Commerce high 7.5 CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SBO-CRO-SEC 3101299 [CVE-2021-42066] Information Disclosure vulnerability in SAP Business One medium 6.6 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
BC-CST-WDP 3000663 [CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CA-VE-VEV 3121165 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer medium 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CA-UI5-DLV 2843016 [CVE-2019-0388] Content spoofing vulnerability in UI5 HTTP Handler medium 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
BI-RA-WBI-FE-HTM 3103677 [CVE-2021-42061] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform  (Web Intelligence) medium 4.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
GRC-ACP 3080816 [CVE-2021-44233] Missing Authorization check in GRC Access Control low 2.4 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – May 2024

On the 14th of May 2024, SAP Security Patch Day saw the release of 14 new Security Notes. There were […]

Read more
SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK