SAP has identified 32 apps that are affected by CVE-2021-44228 – the critical vulnerability in the Apache Log4j Java-based logging library that’s been under active attack since last week.
As of yesterday, Patch Tuesday, the German software maker reported that it’s already patched 20 of those apps, and it’s still feverishly working on fixes for 12. SAP provided workarounds for some of the pending patches in this document, accessible to users on the company’s support portal.
The news about Log4Shell has been nonstop, with the easily exploited, ubiquitous vulnerability spinning off even more dangerous variations, being associated with yet another vulnerability in Apache’s fast-baked patch and threat actors jumping it on a global scale.
Between Sunday and Wednesday morning ET, SAP had released 50 SAP Notes and Knowledge Base entries focusing on Log4j.
Beyond ‘Logapalooza’: Other SAP Patch Tuesday Fixes
But hard though it may be to believe, there are other SAP security matters to attend to besidea Logapalooza, including fixes for other severe flaws in the company’s products. On Tuesday, SAP released 21 new and updated security patches, including four HotNews Notes and six High Priority Notes.
“HotNews” is the highest-severity rating that SAP doles out. Three of December’s HotNews-rated bugs carried a CVSS rating of 9.9 (out of 10) and the fourth hit the top mark of 10.
Thomas Fritsch, an SAP security researcher at enterprise security firm Onapsis, said in his SAP Patch Tuesday writeup that the number of HotNews Notes may seem high, but one of them – #3089831, tagged with a CVSS score of 9.9 – was initially released on SAP’s September 2021 Patch Tuesday. Covering an SQL-injection vulnerability in SAP NZDT Mapping Table Framework, the note was updated in the December Patch Tuesday batch with what Fritsch said was information about possible symptoms. “SAP explicitly says that the update does not require any customer action,” he noted.
Another of the HotNews Notes – #2622660 – is rated a top criticality of 10, but it’s the continuously recurring HotNews Note that provides an SAP Business Client Patch with the latest tested Chromium fixes.
“SAP Business Client customers already know that updates of this note always contain important fixes that must be addressed,” Fritsch said. “The note references 62 Chromium fixes with a maximum CVSS score of 9.6 — 26 of them rated with High Priority. The last number only reflects vulnerabilities that were reported externally, as Google doesn’t provide such information about internally detected issues.”
Taking these out, what’s left of the most critical non-Log4Shell patches are a duo for SAP Commerce that were both released with a CVSS criticality of 9.9, and which are detailed below.
SAP HotNews Note Security Note #3109577
This note is for a code-execution vulnerability in SAP Commerce, localization for China, that covers 11 related CVEs. SAP has tagged it with a CVSS score of 9.9. The note patches multiple code-execution vulnerabilities in the product. Fritsch noted that the localization for China package uses the open-source library XStream: a simple library that serializes objects to XML and back again.
SAP’s note provides a patch for version 2001 of the localization for China package, meaning that SAP Commerce customers using a lower version need to upgrade before applying the patch, Fritsch said. He pulled out two things worth mentioning when comparing the note’s CVEs with the patches listed on https://x-stream.github.io/security.html:
- The provided SAP patch contains version 1.4.15 of the XStream library
- Version 1.4.15 specifically patches Code Execution vulnerabilities, but following the Xstream patch history, it also fixes two Denial-of-Service vulnerabilities and a Server-Site Forgery Request vulnerability
“As a workaround, affected customers can also directly replace the affected XStream library file with its latest version,” Fritsch advised.
SAP HotNews Note Security Note #3119365
This one, which is also tagged with a CVSS score of 9.9, patches a code injection issue in a text extraction report of the Translation Tools of SAP ABAP Server & ABAP Platform.
Found in Versions 701, 740, 750, 751, 752, 753, 754, 755, 756 and 804, the vulnerability allows an attacker with low privileges to execute arbitrary commands in the background, Fritsch explained. The fact that such an attacker would need at least a few privileges to exploit the vulnerability bumped its CVSS score down from 10, he said.
“The provided patch just deactivates the affected coding,” Fritsch continued. “The report is only used by SAP internally, was not intended for release, and does not impact existing functionality.”
Those who can access the note and who are interested in which report is affected can get that information in the “Correction Instructions” section by activating the tab “TADIR Entries,” Fritsch said.
Notable SAP High Priority Notes
SAP Security Notes #3114134 and #3113593
SAP Commerce is also affected by these two notable High Priority notes.
Tagged with a CVSS score of 8.8, the first high-priority note addresses SAP Commerce installations configured to use an Oracle database, according to Fritsch. “The escaping of values passed to a parameterized “in” clause, in flexible search queries with more than 1000 values, is processed incorrectly,” he explained. “This allows an attacker to execute crafted database queries through the injection of malicious SQL commands, thus exposing the backend database.”
SAP Commerce customers using the B2C Accelerator are also affected by SAP Security Note #3113593, tagged with a CVSS score of 7.5. The flaw can allow an attacker with direct write access to product-related metadata in B2C Accelerator to exploit a vulnerability in the jsoup library responsible for metadata sanitization before it’s processed, Fritsch said, allowing the attacker to inflict long response delays and service interruptions that result in denial of service (DoS).
SAP Knowledge Warehouse High Priority Note #3102769
Another high-priority note, in SAP Knowledge Warehouse (SAP KW), is #3102769, tagged with a CVSS score of 8.8. The note patches a cross-site scripting (XSS) vulnerability that can result in sensitive data being disclosed.
“The vulnerability affects the displaying component of SAP KW and SAP explicitly points out that the pure existence of that component in the customer’s landscape is all that is needed to be vulnerable,” Fritsch cautioned.
Customers who don’t actively use the displaying component of SAP KW may still experience a security breach, he noted.
The note details two possible workarounds:
- Disabling the affected display component by adding a filter with a specific custom rule
- Adding a rewrite rule to SAP Web Dispatcher to prevent redirects (this is only applicable if requests are routed via SAP Web Dispatcher)
SAP NetWeaver AS ABAP High Priority Note #3123196
With a CVSS score of 8.4, SAP Security Note #3123196 describes a code injection vulnerability in two methods of a utility class in SAP NetWeaver AS ABAP.
“A highly privileged user with permissions to use transaction SE24 or SE80 and execute development objects is able to call these methods and provide malicious parameter values that can lead to the execution of arbitrary commands on the operating system,” Fritsch elucidated.
SAP fixed the problem by integrating the affected methods directly into the class without the possibility of passing parameters to those methods. Fritsch said that the affected classes and methods are available in the “Correction Instructions” section by selecting the tab “TADIR Entries.”
SAF-T Framework SAP High Priority Security Note #3124094
This one, which patches a directory-traversal vulnerability in the SAF-T framework, is tagged with a CVSS score of 7.7. It addresses an issue with the SAF-T framework, which is used to convert SAP tax data into the Standard Audit File Tax format (SAF-T) – an OECD international standard for the electronic exchange of data that enables tax authorities of all countries to accept data for tax purposes – and back.
The note describes how an insufficient validation of path information in the framework allows an attacker to read the complete file-system structure, Fritsch explained.
Open-Source Libraries as the Weakest Link
Fritsch pointed to the Log4j vulnerability and the vulnerabilities described in SAP Security Notes #3109577 and #3113593 as demonstrating “that there is always a risk involved when using open-source libraries.”
Besides the Log4Shell elephant in the room, recent examples that prove his point about the risks entailed by relying on the security of outside code include, for example, the recent discovery of three malicious packages hosted in the Python Package Index (PyPI) code repository that collectively have more than 12,000 downloads: downloads that potentially translate into loads of poisoned applications.
Another of many examples of how the software supply chain has become an increasingly popular method of distributing malware cropped up last week, when a series of malicious packages in the Node.js package manager (npm) code repository that looked to harvest Discord tokens was found.
External libraries are convenient, but are they worth the risk? You have to do the math to figure that out, Fritsch summed up: “The ability to implement new features in a short period of time is bought at the price of dependence on the security of the external libraries. Remember, a software product is only as secure as its weakest software component.”
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.