SAP’s even now feverishly functioning to patch one more 12 apps susceptible to the Log4Shell flaw, even though its Patch Tuesday launch involves 21 other fixes, some rated at 9.9 criticality.
SAP has identified 32 applications that are afflicted by CVE-2021-44228 – the critical vulnerability in the Apache Log4j Java-based mostly logging library that is been below active attack given that previous 7 days.
As of yesterday, Patch Tuesday, the German software program maker noted that it’s already patched 20 of these applications, and it’s nevertheless feverishly functioning on fixes for 12. SAP presented workarounds for some of the pending patches in this document, obtainable to consumers on the company’s aid portal.
The news about Log4Shell has been nonstop, with the conveniently exploited, ubiquitous vulnerability spinning off even additional dangerous variants, being connected with yet a further vulnerability in Apache’s quick-baked patch and menace actors leaping it on a world wide scale.
Involving Sunday and Wednesday early morning ET, SAP experienced produced 50 SAP Notes and Information Foundation entries focusing on Log4j.
Further than ‘Logapalooza’: Other SAP Patch Tuesday Fixes
But really hard however it could be to imagine, there are other SAP security matters to go to to besidea Logapalooza, including fixes for other severe flaws in the company’s products and solutions. On Tuesday, SAP produced 21 new and up-to-date security patches, which include 4 HotNews Notes and 6 Higher Precedence Notes.
“HotNews” is the highest-severity score that SAP doles out. A few of December’s HotNews-rated bugs carried a CVSS ranking of 9.9 (out of 10) and the fourth hit the top mark of 10.
Thomas Fritsch, an SAP security researcher at enterprise security business Onapsis, said in his SAP Patch Tuesday writeup that the quantity of HotNews Notes may possibly appear superior, but one particular of them – #3089831, tagged with a CVSS score of 9.9 – was initially introduced on SAP’s September 2021 Patch Tuesday. Masking an SQL-injection vulnerability in SAP NZDT Mapping Desk Framework, the note was current in the December Patch Tuesday batch with what Fritsch said was information and facts about probable signs. “SAP explicitly claims that the update does not need any client motion,” he pointed out.
Another of the HotNews Notes – #2622660 – is rated a prime criticality of 10, but it is the consistently recurring HotNews Take note that gives an SAP Enterprise Shopper Patch with the newest examined Chromium fixes.
“SAP Organization Consumer consumers now know that updates of this observe normally include vital fixes that have to be tackled,” Fritsch mentioned. “The be aware references 62 Chromium fixes with a utmost CVSS rating of 9.6 — 26 of them rated with Substantial Priority. The very last range only demonstrates vulnerabilities that were being claimed externally, as Google does not give these information about internally detected issues.”
Using these out, what is still left of the most critical non-Log4Shell patches are a duo for SAP Commerce that were being both equally introduced with a CVSS criticality of 9.9, and which are specific underneath.
SAP HotNews Notice Security Be aware #3109577
This be aware is for a code-execution vulnerability in SAP Commerce, localization for China, that addresses 11 associated CVEs. SAP has tagged it with a CVSS rating of 9.9. The take note patches various code-execution vulnerabilities in the merchandise. Fritsch noted that the localization for China deal uses the open up-resource library XStream: a basic library that serializes objects to XML and back all over again.
SAP’s be aware gives a patch for version 2001 of the localization for China deal, meaning that SAP Commerce clients making use of a reduced edition have to have to improve right before implementing the patch, Fritsch said. He pulled out two factors worth mentioning when comparing the note’s CVEs with the patches detailed on https://x-stream.github.io/security.html:
- The supplied SAP patch has version 1.4.15 of the XStream library
- Model 1.4.15 specially patches Code Execution vulnerabilities, but adhering to the Xstream patch background, it also fixes two Denial-of-Services vulnerabilities and a Server-Internet site Forgery Request vulnerability
“As a workaround, afflicted buyers can also right substitute the influenced XStream library file with its most current model,” Fritsch advised.
SAP HotNews Be aware Security Take note #3119365
This a single, which is also tagged with a CVSS score of 9.9, patches a code injection issue in a textual content extraction report of the Translation Resources of SAP ABAP Server & ABAP Platform.
Identified in Variations 701, 740, 750, 751, 752, 753, 754, 755, 756 and 804, the vulnerability allows an attacker with small privileges to execute arbitrary instructions in the background, Fritsch explained. The actuality that these types of an attacker would have to have at least a couple of privileges to exploit the vulnerability bumped its CVSS rating down from 10, he mentioned.
“The supplied patch just deactivates the afflicted coding,” Fritsch ongoing. “The report is only used by SAP internally, was not intended for launch, and does not effects existing operation.”
These who can access the note and who are interested in which report is afflicted can get that facts in the “Correction Instructions” portion by activating the tab “TADIR Entries,” Fritsch mentioned.
Noteworthy SAP Superior Precedence Notes
SAP Security Notes #3114134 and #3113593
SAP Commerce is also impacted by these two noteworthy High Priority notes.
Tagged with a CVSS rating of 8.8, the 1st higher-priority take note addresses SAP Commerce installations configured to use an Oracle databases, according to Fritsch. “The escaping of values passed to a parameterized “in” clause, in adaptable search queries with more than 1000 values, is processed improperly,” he discussed. “This makes it possible for an attacker to execute crafted databases queries as a result of the injection of malicious SQL commands, as a result exposing the backend database.”
SAP Commerce consumers working with the B2C Accelerator are also impacted by SAP Security Note #3113593, tagged with a CVSS score of 7.5. The flaw can make it possible for an attacker with direct create accessibility to products-linked metadata in B2C Accelerator to exploit a vulnerability in the jsoup library dependable for metadata sanitization in advance of it’s processed, Fritsch mentioned, permitting the attacker to inflict extensive response delays and service interruptions that outcome in denial of service (DoS).
SAP Knowledge Warehouse High Precedence Take note #3102769
Yet another superior-precedence be aware, in SAP Expertise Warehouse (SAP KW), is #3102769, tagged with a CVSS score of 8.8. The observe patches a cross-internet site scripting (XSS) vulnerability that can consequence in delicate facts being disclosed.
“The vulnerability impacts the exhibiting component of SAP KW and SAP explicitly factors out that the pure existence of that component in the customer’s landscape is all that is required to be vulnerable,” Fritsch cautioned.
Shoppers who really do not actively use the displaying component of SAP KW may perhaps nonetheless working experience a security breach, he famous.
The take note facts two achievable workarounds:
- Disabling the affected display screen element by incorporating a filter with a certain customized rule
- Adding a rewrite rule to SAP Web Dispatcher to prevent redirects (this is only applicable if requests are routed by means of SAP Web Dispatcher)
SAP NetWeaver AS ABAP Higher Priority Notice #3123196
With a CVSS score of 8.4, SAP Security Observe #3123196 describes a code injection vulnerability in two strategies of a utility course in SAP NetWeaver AS ABAP.
“A extremely privileged consumer with permissions to use transaction SE24 or SE80 and execute enhancement objects is able to get in touch with these procedures and provide malicious parameter values that can lead to the execution of arbitrary commands on the functioning procedure,” Fritsch elucidated.
SAP fixed the problem by integrating the impacted procedures immediately into the class with out the chance of passing parameters to all those solutions. Fritsch reported that the affected lessons and approaches are out there in the “Correction Instructions” part by picking out the tab “TADIR Entries.”
SAF-T Framework SAP High Priority Security Be aware #3124094
This a single, which patches a directory-traversal vulnerability in the SAF-T framework, is tagged with a CVSS rating of 7.7. It addresses an issue with the SAF-T framework, which is utilised to convert SAP tax details into the Conventional Audit File Tax structure (SAF-T) – an OECD global typical for the electronic trade of data that permits tax authorities of all nations to settle for info for tax needs – and back.
The take note describes how an insufficient validation of path info in the framework lets an attacker to read the total file-program framework, Fritsch spelled out.
Open-Resource Libraries as the Weakest Backlink
Fritsch pointed to the Log4j vulnerability and the vulnerabilities explained in SAP Security Notes #3109577 and #3113593 as demonstrating “that there is usually a risk included when employing open-supply libraries.”
Besides the Log4Shell elephant in the room, latest illustrations that establish his stage about the pitfalls entailed by relying on the security of outside code contain, for instance, the recent discovery of a few destructive offers hosted in the Python Package Index (PyPI) code repository that collectively have additional than 12,000 downloads: downloads that perhaps translate into hundreds of poisoned apps.
An additional of a lot of illustrations of how the software offer chain has develop into an more and more popular system of distributing malware cropped up last week, when a series of malicious packages in the Node.js package deal supervisor (npm) code repository that appeared to harvest Discord tokens was located.
External libraries are convenient, but are they truly worth the risk? You have to do the math to determine that out, Fritsch summed up: “The potential to put into action new options in a short interval of time is acquired at the price tag of dependence on the security of the external libraries. Remember, a program merchandise is only as safe as its weakest application ingredient.”
Check out out our cost-free future are living and on-demand online town halls – distinctive, dynamic conversations with cybersecurity gurus and the Threatpost community.
Some parts of this article are sourced from:
threatpost.com