Critical Patches for SAP BusinessObjects and SAP CommonCryptoLib released

Highlights of September SAP Security Notes analysis include:

• September Summary—Eighteen new and updated SAP security patches released, including five HotNews Notes and two High Priority Notes


• SAP BusinessObjects in Focus—Five patches released, including two HotNews Notes and one High Priority Note


• Onapsis Research Labs Contribution—Our team supported SAP in patching a High Priority vulnerability in SAP CommonCryptoLib

SAP has published eighteen new and updated Security Notes on its September Patch Day (including the notes that were released or updated since last Patch Tuesday.) This includes five HotNews Notes and two High Priority Notes. 

One of the five HotNews Notes is the regularly recurring SAP Security Note #2622660 that provides an update for SAP Business Client including the latest supported Chromium patches. SAP Business Client now supports Chromium version 116.0.5845.97 which fixes sixty-seven vulnerabilities in total including one Critical and thirty-one High Priority vulnerabilities. The maximum CVSS value of all fixed vulnerabilities is 8.8. 

HotNews Note #3245526, tagged with a CVSS score of 9.9, is an update to a patch that was initially released by SAP in March 2023. It fixes a serious Code Injection vulnerability in SAP BusinessObjects. The ‘Support Packages & Patches’ section of the note was updated with the latest patch levels. 

HotNews Note #3273480, tagged with a CVSS score of 9.9, is another update that only became necessary because the Security Note was accidentally previously deleted. There is no customer action required.

The New HotNews Notes in Detail

SAP Security Note #3320355, tagged with a CVSS score of 9.9, is a new HotNews Note for SAP BusinessObjects. The job folder of the Promotion Management component is vulnerable to an Information Disclosure. A successful exploit provides information that can be used in subsequent attacks, leading to a complete compromise of the application. As a workaround, SAP recommends granting appropriate rights only for the required user to access and perform promotions using Promotion Management. Normal users do not have view rights by default however the users of the administrator group should be explicitly denied view rights on the Promotion jobs folder.

SAP Security Note #3340576, tagged with a CVSS score of 9.8, is the second new HotNews Note of SAP’s September Patch Day. Missing or wrong authorization checks in SAP CommonCryptoLib can result in an escalation of privileges. The resulting impact depends on the application and on the level of acquired privileges. In the worst case, attackers can compromise the affected application completely.

High Priority SAP Security Notes

In addition to the HotNews Notes for SAP BusinessObjects and SAP CommonCryptoLib, SAP has also released High Priority Notes for these two applications.  

SAP Security Note #3370490, tagged with a CVSS score of 8.7, patches an Insufficient File Type Validation vulnerability in the Web Intelligence HTML interface of SAP BusinessObjects Business Intelligence Platform. While uploading a local image file as part of a report creation,  an authenticated attacker could intercept the request and modify the content type and the file extension. This would allow them to read and modify sensitive data causing a high impact on confidentiality and integrity of the application.

The Onapsis Research Labs supported SAP in patching a High Priority Memory Corruption vulnerability in SAP CommonCryptoLib. The corresponding SAP Security Note #3327896, tagged with a CVSS score of 7.5, provides patches for all affected applications:

• Kernel Patch for SAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premise


• SAPSSOEXT Library


• SAP Web Dispatcher


• SAP Host Agent


• SAP Content Server


• SAP HANA Database


• SAP Extended Application Services and Runtime (XSA)

The good news is that all patches for HotNews Note #3340576 automatically patch this vulnerability, too. There is only one exception. While the HotNews Note does not affect SAP HANA revisions based on 2.0 SPS 05, #3327896 does. The required revision for patching #3327896 is 2.00.059.10.

Information for SAP BusinessObjects Customers

SAP provided five Patches in total for SAP BusinessObjects. The following table represents a quick reference to identify which SP levels are affected by which vulnerabilities and the patch levels that fixes them:

  

Summarizing this information, all SAP BusinessObjects vulnerabilities are fixed with the following Patch Levels:

 

Summary and Conclusion

With eighteen new and updated SAP Security Notes, including five HotNews Notes and two High Priority Notes, SAP’s September Patch Day seems to be a busy one. But since two HotNews Notes are only minor updates that do not require customer actions and not much effort is needed to implement SAP BusinessObjects and SAPCryptoLib notes, the patching effort is manageable. 

Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, view The Defenders Digest–our monthly video recap of ERP security news.