SAP Security Patch Day April 2022: In Focus: Spring4Shell and SAP MII
This blog was originally published by Onapsis here.
Written by Thomas Fritsch, Onapsis.
Highlights of April SAP Security Notes analysis include:
- April Summary - 35 new and updated SAP security patches released, including six HotNews Notes and six High Priority Notes.
- SAP affected by Spring4Shell - Patch for SAP HANA Extended Application Services available
SAP has published 35 new and updated Security Notes on its April Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes six HotNews Notes and six High Priority Notes.
SAP’s April Patch Tuesday requires special attention again. Once more, SAP is affected by a serious vulnerability in an external framework. The Spring4Shell vulnerability, assigned as CVE-2022-22965, was recently detected and has been successfully exploited, as noted by researchers. Fortunately, the amount of affected SAP applications seems to be very limited. Another critical vulnerability was detected by the Onapsis Research Labs (ORL). Our ORL team contributed to a serious vulnerability in SAP MII that could lead to a full compromise of the server in patching hosting the application.
Before going into further details about the serious vulnerabilities, let’s first do some housekeeping for the critical SAP Security Notes.
HotNews Note #3022622, tagged with a CVSS score of 9.1, was already released ahead of the current Patch Day and is now flagged as “obsolete”. The note has been completely replaced by SAP Security Note #3158613 which is described in more detail in the next section.
The HotNewsNote #3123396 and the two High Priority Notes #3123427 and #3080567, which are about patching HTTP Request Smuggling vulnerabilities detected by Onapsis Research Labs, have been updated with Emergency SP Stack Kernel PL1101 information for Kernel 7.22.
Another HotNews Note is the continuously recurring SAP Security Note #2622660, that provides a SAP Business Client Patch with the latest tested Chromium fixes. SAP Business Client customers already know that updates of this note always contain important fixes that must be addressed. One remarkable aspect is that SAP has released two new SAP Business Client Patches since last Patch Day. The first one came with Chromium version 99.0.4844.74. This version patched a critical bug (CVE-2022-0971) that was detected internally by Google and rated with a CVSS score of 9.8. So, the first SAP Business Client Patch can be seen as a kind of an emergency fix. As the patches for SAP Business Client are “full” patches, customers can just directly apply the latest patch.
Another updated High Priority note is SAP Security Note #3149805, tagged with a CVSS score of 8.2 and initially released on SAP’s March Patch Day. The note patches a Cross-Site Scripting vulnerability in SAP Fiori Launchpad. The validity of the correction instruction is extended to SAP_UI 753.
The New HotNews Notes in Detail
SAP Security Note #3189428, tagged with a CVSS score of 9.8, patches a Remote Code Execution vulnerability in SAP HANA Extended Application Services. The issue exists because of the recently detected Spring4Shell vulnerability in the relevant version of the Spring Framework. The HotNews note provides a solution by instructing customers to upgrade SAP HANA XS advanced model to version 1.0.145. The note points out that this upgrade action only protects the XS advanced HANA services with respect to CVE-2022-22965. It does not patch vulnerable XS advanced(XSA) applications. Whether or not an XSA application is vulnerable to CVE-2022-22965 depends on the Java Runtime it uses. By default, XSA uses Java 8 runtime which is not affected by Spring4Shell. However, the Java runtime can be customized, for example, to SAPMachine 11. The note provides a detailed step-by-step guide in how to identify applications using vulnerable Spring versions. According to Spring the problem is patched with the minimum Spring framework version 5.3.18.
It seems that SAP expects more areas to be affected by Spring4Shell as the security team has set up the central HotNews Note #3170990 to collect all Spring4Shell related issues.
Another HotNews note was released by SAP as a result of the research work by the Onapsis Research Labs (ORL). The ORL team detected a critical Code Injection vulnerability affecting SAP Manufacturing Integration and Intelligence (SAP MII). SAP MII is an SAP application for synchronizing manufacturing operations with back-office business processes and standardized data. It consists of two main components. The integration component uses web standards to link SAP ERP and related business applications with plant floor applications. The intelligence part is intended to provide real-time analytics of manufacturing operations, using visualization tools and dashboards to show key performance indicators (KPIs) and alerts.
Authorized users can use the Self Service Composition Environment (SSCE) to create, design, configure, and display dashboards based on their needs. The SSCE allows saving these dashboards as JSPs on the server. The Onapsis Research Labs detected that an attacker can inject malicious code into the JSP before it is forwarded to the server. When such a manipulated dashboard is opened by a user with appropriate authorizations, the malicious code is executed on the server. If the malicious code contains certain OS commands, the attacker is able to read, modify or delete arbitrary files on the server and thus, can compromise its integrity, confidentiality and availability. Attackers authenticated as a developer can use the application to upload and execute a file directly which will permit them to execute operating systems commands completely compromising the server hosting the application. SAP Security Note #3158613, tagged with a CVSS score of 9.1, patches this vulnerability. SAP has implemented a Virus Scan interface with the patch for all upload and download activities in SAP MII.
Further High Priority Notes
SAP Security Note #3130497, tagged with a CVSS score of 8.2 fixes an Information Disclosure vulnerability in SAP Business Intelligence Platform. A CSRF token was added to an URL by mistake and could possibly lead to an information disclosure vulnerability. When looking at the CVSS vector of the vulnerability, it becomes obvious that, depending on a victim’s authorizations, an attack using a stolen CSRF token can also have a serious impact on the integrity and the availability of the application.
SAP Security Note #3111311, tagged with a CVSS score of 7.5, patches a Denial of Service vulnerability in SAP Web Dispatcher and SAP Internet Communication Manager(ICM). The issue is caused by a program error related to parameter icm/HTTP/file_access and affects the following scenario:
- ICM on Application Server ABAP
The following scenarios are only affected if parameter icm/HTTP/file_access_<x> has been set explicitly:
- ICM on Application Server Java
- SAP Web Dispatcher
- SAP HANA Extended Application Services Advanced
As a (temporary) workaround, SAP Administrators can add a rewrite rule to avoid an exploit.
A Privilege Escalation vulnerability in Apache Tomcat Server of SAP Commerce is patched with SAP Security Note #3155609, tagged with a CVSS score of 7.0. The vulnerability only affects SAP Commerce customers who have modified their Tomcat configuration to use FileStore. The note provides a SAP Commerce Cloud patch including an Apache Tomcat version that is not exposed to CVE-2022-23181.
In addition to supporting SAP in patching the critical Code Injection vulnerability in SAP MII, our team also contributed in patching a Directory Traversal vulnerability in the Simple Diagnostics Agent used by SAP Focused Run. The ORL team recognized that an insufficient validation of path information allowed a highly privileged remote attacker to gain unauthorized read access to restricted directories. SAP Security Note #3159091, tagged with a CVSS score of 2.7, provides the corresponding patch.
Summary and Conclusions
SAP customers (as well as SAP Patch Day blog post authors) might have been shocked when seeing the volume of Security Notes for SAP’s April Patch Day. But when looking into the details, it is clear that a significant part of the notes do not require any action. Two of six HotNews Notes don’t really count, as one is obsolete and the other one is only a central note documenting all Spring4Shell related information. Another HotNews Note and also three of six High Priority Notes only contain minor updates. With the Spring4Shell vulnerability in mind, some people might have expected even more “noise” on this Patch Day. Fortunately, it only affects Java versions higher than Java 8 and thus, it shouldn’t affect that many SAP applications.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.