Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.
August 2022 notes
Summary and highlights of the month
The total number of notes/patches was 11, 16 less than last month. Despite the lower number of notes, the number of Hot News has increased, with none last month, compared to the note existing in August. On the other hand, it should be noted that the number of notes of high criticality decreased from 5 to 3 this month. As usual, we will leave the medium and low scores unchecked this month, but we will give details of a total of 4 notes (all those with a CVSS of 7 or higher).
We have a total of 11 notes for the whole month, 16 notes less than last July (the 7 from Patch Tuesday, 5 new and 2 updates, are 16 notes less than last month).
We will review in detail 4 of the total of 4 high notes and Hot News, the Hot News being an update of a previous note and the 3 high notes would be new (those of CVSS greater than or equal to 7).
- The most critical note of the month (with CVSS 10) is the usual note related to “Google Chromium”.
- The following in criticality (CVSS 8.2, 8.1 and 7.3) are three high notes, one of “Information Disclosure vulnerability” in SAP BusinessObjects Business Intelligence Platform, another related to “Privilege escalation vulnerability” in SAP SuccessFactors, and the last one would be related to “Information Disclosure” in SAP Landscape Management platform.
- The rest (7) are medium and low level, and we will not see them in detail.
- This month the most predominant types are “Information Disclosure vulnerability” (6/11 and 4/7 in patch day) and “Missing Authorization Check” (3/11 and 1/7 in patch day).
In the graph (post August 2022 from SAP) we can see the classification of the notes of August in addition to the evolution and classification of the last 5 previous months (only the notes of Sec. Tuesday / Patch Day – by SAP):
Full details
- Update – Security updates for the browser control Google Chromium delivered with SAP Business Client (2622660): This security note addresses multiple vulnerabilities in the 3rd party web browser control Chromium, which can be used within SAP Business Client. This note will be modified periodically based on web browser updates by the open source project Chromium. The note priority is based on the highest CVSS score of all the vulnerabilities fixed in the latest browser release. If the SAP Business Client release is not updated to the latest patch level, displaying web pages in SAP Business Client via this open source browser control might lead to different vulnerabilities like memory corruption, Information Disclosure and the like. The solution will be to update the SAP Business Client patch to the newest one, which contains the most current stable major release of the Chromium browser control, which passed the SAP internal quality measurements of SAP Business Client. CVSS v3 Base Score: 10 / 10 (Multiple CVE´s).
- Information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Open Document) (3210823): SAP BusinessObjects Open Document allows an unauthenticated attacker to retrieve sensitive information plain text over the network. On successful exploitation, the attacker can view any data available for a business user and put load on the application by an automated attack, completely compromising confidentiality but causing a limited impact on the availability of the application. All versions lower than 4.2 SP9 P6 and 4.3 SP2 are affected by the vulnerability. This issue is fixed in the patches listed in the section “Support Packages & Patches” of the note. CVSS v3 Base Score: 8,2 / 10 (CVE-2022-32245).
- Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS) (3226411): Due to misconfigured application endpoints, SAP SuccessFactors attachment APIs allow an attacker with user privileges to perform activities with admin privileges over the network. These APIs were consumed in the SF Mobile application for Time Off, Time Sheet, EC Workflow and Benefits. On successful exploitation, the attacker can read/write attachments, compromising the confidentiality and integrity of the application. Customers using attachments in Time Off, Time Sheet, EC Workflow and Benefits modules of SAP SF Mobile Application are impacted. Several measures have been taken to resolve the identified vulnerability in the most recent software update. This vulnerability impacts users who are using the iOS and Android mobile application versions released previous to V8.0.5. For this reason, the SAP SuccessFactors mobile team is releasing an immediate fix to stop the ability to download, upload or preview attachments from the impacted SAP SF Mobile modules at this time. To fix the issue, download the latest version of the SAP SuccessFactors iOS and Android mobile application (V8.0.5) to ensure the organization is not at risk of any threats from this vulnerability. CVSS v3 Base Score: 8,1 / 10 (CVE-2022-35291).
- Information Disclosure in SAP Landscape Management (3213141): An information Disclosure vulnerability exists in the enterprise edition of SAP Landscape Management that would allow an authenticated user to obtain privileged access to other systems making those other systems vulnerable to information disclosure and modification. The information disclosed are the credentials and it can only be accessed by authenticated SAP Landscape Management users, but they can escalate their privileges to other systems. To fix the problem, the procedure would be as follows: Implement SAP Adaptive Extensions Patch 70, then remove Adaptive Extensions logs from the affected systems, and finally change the affected credentials because the logs could have already been read. CVSS v3 Base Score: 7.3 / 10.
Reference links
Other references, from SAP and Onapsis (August):
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10
https://onapsis.com/blog/sap-security-patch-day-august-2022-sap-businessobjects-focus
Resources affected
- SAP Authenticator for Android, Versions <1.2.17
- SAP Business Client, Versions 6.5, 7.0, 7.70
- SAP Business Objects Platform (MonitoringDB), Version 430
- SAP BusinessObjects Business Intelligence Platform (CommentaryDB), Versions 420, 430
- SAP BusinessObjects Business Intelligence Platform (Open Document),Versions 420, 430
- SAP Enable Now Manager, Version 1.0
- SAP NetWeaver, Versions 740, 750