SAP’s nevertheless feverishly performing to patch one more 12 apps vulnerable to the Log4Shell flaw, while its Patch Tuesday launch features 21 other fixes, some rated at 9.9 criticality.
SAP has identified 32 apps that are influenced by CVE-2021-44228 – the critical vulnerability in the Apache Log4j Java-based logging library that’s been under lively attack since very last 7 days.
As of yesterday, Patch Tuesday, the German software package maker described that it’s currently patched 20 of people applications, and it’s nonetheless feverishly doing the job on fixes for 12. SAP furnished workarounds for some of the pending patches in this doc, available to people on the company’s support portal.
The news about Log4Shell has been nonstop, with the effortlessly exploited, ubiquitous vulnerability spinning off even far more unsafe variants, becoming related with still an additional vulnerability in Apache’s speedy-baked patch and menace actors jumping it on a global scale.
Concerning Sunday and Wednesday morning ET, SAP experienced introduced 50 SAP Notes and Awareness Foundation entries focusing on Log4j.
Outside of ‘Logapalooza’: Other SAP Patch Tuesday Fixes
But tricky while it may be to believe, there are other SAP security matters to show up at to besidea Logapalooza, which includes fixes for other extreme flaws in the company’s products and solutions. On Tuesday, SAP unveiled 21 new and updated security patches, such as 4 HotNews Notes and 6 Large Priority Notes.
“HotNews” is the highest-severity score that SAP doles out. A few of December’s HotNews-rated bugs carried a CVSS score of 9.9 (out of 10) and the fourth hit the top rated mark of 10.
Thomas Fritsch, an SAP security researcher at company security company Onapsis, said in his SAP Patch Tuesday writeup that the number of HotNews Notes may possibly seem to be superior, but a single of them – #3089831, tagged with a CVSS score of 9.9 – was in the beginning launched on SAP’s September 2021 Patch Tuesday. Masking an SQL-injection vulnerability in SAP NZDT Mapping Desk Framework, the take note was up to date in the December Patch Tuesday batch with what Fritsch claimed was information about feasible indicators. “SAP explicitly suggests that the update does not demand any shopper motion,” he observed.
Another of the HotNews Notes – #2622660 – is rated a prime criticality of 10, but it’s the repeatedly recurring HotNews Notice that supplies an SAP Company Shopper Patch with the most current examined Chromium fixes.
“SAP Business Consumer customers currently know that updates of this note often contain crucial fixes that ought to be tackled,” Fritsch mentioned. “The be aware references 62 Chromium fixes with a utmost CVSS rating of 9.6 — 26 of them rated with Higher Priority. The previous number only demonstrates vulnerabilities that have been claimed externally, as Google does not supply these kinds of data about internally detected issues.”
Getting these out, what’s remaining of the most critical non-Log4Shell patches are a duo for SAP Commerce that were both of those introduced with a CVSS criticality of 9.9, and which are comprehensive under.
SAP HotNews Note Security Notice #3109577
This note is for a code-execution vulnerability in SAP Commerce, localization for China, that covers 11 relevant CVEs. SAP has tagged it with a CVSS score of 9.9. The note patches various code-execution vulnerabilities in the solution. Fritsch noted that the localization for China package deal works by using the open up-supply library XStream: a easy library that serializes objects to XML and back yet again.
SAP’s notice offers a patch for version 2001 of the localization for China package, indicating that SAP Commerce customers utilizing a reduced variation need to have to improve right before making use of the patch, Fritsch mentioned. He pulled out two matters value mentioning when comparing the note’s CVEs with the patches outlined on https://x-stream.github.io/security.html:
- The supplied SAP patch has model 1.4.15 of the XStream library
- Variation 1.4.15 exclusively patches Code Execution vulnerabilities, but pursuing the Xstream patch history, it also fixes two Denial-of-Support vulnerabilities and a Server-Site Forgery Ask for vulnerability
“As a workaround, influenced clients can also right change the influenced XStream library file with its latest variation,” Fritsch encouraged.
SAP HotNews Note Security Be aware #3119365
This one particular, which is also tagged with a CVSS rating of 9.9, patches a code injection issue in a text extraction report of the Translation Instruments of SAP ABAP Server & ABAP System.
Uncovered in Variations 701, 740, 750, 751, 752, 753, 754, 755, 756 and 804, the vulnerability will allow an attacker with reduced privileges to execute arbitrary instructions in the qualifications, Fritsch defined. The simple fact that this sort of an attacker would need to have at least a several privileges to exploit the vulnerability bumped its CVSS score down from 10, he said.
“The presented patch just deactivates the influenced coding,” Fritsch continued. “The report is only applied by SAP internally, was not intended for launch, and does not impact existing features.”
These who can access the note and who are interested in which report is afflicted can get that facts in the “Correction Instructions” area by activating the tab “TADIR Entries,” Fritsch mentioned.
Noteworthy SAP Large Precedence Notes
SAP Security Notes #3114134 and #3113593
SAP Commerce is also impacted by these two noteworthy Large Priority notes.
Tagged with a CVSS rating of 8.8, the 1st high-precedence be aware addresses SAP Commerce installations configured to use an Oracle databases, according to Fritsch. “The escaping of values passed to a parameterized “in” clause, in versatile research queries with more than 1000 values, is processed incorrectly,” he stated. “This permits an attacker to execute crafted databases queries by way of the injection of destructive SQL instructions, as a result exposing the backend databases.”
SAP Commerce customers making use of the B2C Accelerator are also impacted by SAP Security Notice #3113593, tagged with a CVSS score of 7.5. The flaw can make it possible for an attacker with direct publish obtain to products-connected metadata in B2C Accelerator to exploit a vulnerability in the jsoup library responsible for metadata sanitization right before it is processed, Fritsch explained, allowing for the attacker to inflict extended reaction delays and provider interruptions that end result in denial of service (DoS).
SAP Know-how Warehouse Superior Priority Take note #3102769
Yet another superior-precedence take note, in SAP Expertise Warehouse (SAP KW), is #3102769, tagged with a CVSS rating of 8.8. The notice patches a cross-internet site scripting (XSS) vulnerability that can final result in sensitive details being disclosed.
“The vulnerability impacts the exhibiting component of SAP KW and SAP explicitly details out that the pure existence of that component in the customer’s landscape is all that is wanted to be susceptible,” Fritsch cautioned.
Shoppers who don’t actively use the exhibiting component of SAP KW may nonetheless working experience a security breach, he observed.
The take note information two feasible workarounds:
- Disabling the affected display screen element by introducing a filter with a particular custom rule
- Incorporating a rewrite rule to SAP Web Dispatcher to stop redirects (this is only applicable if requests are routed by using SAP Web Dispatcher)
SAP NetWeaver AS ABAP Large Priority Note #3123196
With a CVSS score of 8.4, SAP Security Be aware #3123196 describes a code injection vulnerability in two methods of a utility class in SAP NetWeaver AS ABAP.
“A extremely privileged user with permissions to use transaction SE24 or SE80 and execute enhancement objects is capable to call these techniques and supply malicious parameter values that can direct to the execution of arbitrary commands on the working procedure,” Fritsch elucidated.
SAP set the dilemma by integrating the afflicted solutions immediately into the course without having the possibility of passing parameters to those solutions. Fritsch claimed that the impacted courses and approaches are available in the “Correction Instructions” portion by picking out the tab “TADIR Entries.”
SAF-T Framework SAP Superior Precedence Security Be aware #3124094
This 1, which patches a listing-traversal vulnerability in the SAF-T framework, is tagged with a CVSS score of 7.7. It addresses an issue with the SAF-T framework, which is applied to change SAP tax information into the Common Audit File Tax format (SAF-T) – an OECD intercontinental conventional for the digital exchange of facts that allows tax authorities of all countries to acknowledge knowledge for tax reasons – and back again.
The observe describes how an insufficient validation of path information and facts in the framework enables an attacker to read the finish file-technique structure, Fritsch explained.
Open up-Resource Libraries as the Weakest Hyperlink
Fritsch pointed to the Log4j vulnerability and the vulnerabilities described in SAP Security Notes #3109577 and #3113593 as demonstrating “that there is generally a risk included when applying open up-supply libraries.”
In addition to the Log4Shell elephant in the home, modern examples that verify his level about the challenges entailed by relying on the security of outside the house code involve, for case in point, the the latest discovery of 3 destructive packages hosted in the Python Deal Index (PyPI) code repository that collectively have additional than 12,000 downloads: downloads that perhaps translate into hundreds of poisoned purposes.
A different of numerous examples of how the software offer chain has grow to be an progressively well known strategy of distributing malware cropped up last week, when a series of destructive offers in the Node.js package deal supervisor (npm) code repository that looked to harvest Discord tokens was located.
Exterior libraries are easy, but are they value the risk? You have to do the math to figure that out, Fritsch summed up: “The means to employ new capabilities in a limited period of time of time is bought at the selling price of dependence on the security of the exterior libraries. Recall, a software merchandise is only as protected as its weakest software ingredient.”
Check out our free impending are living and on-demand from customers on the net city halls – distinctive, dynamic discussions with cybersecurity authorities and the Threatpost community.
Some components of this post are sourced from: