Join thousands of people who receive the latest breaking cybersecurity news every day.
Share this article:
SAP’s still feverishly working to patch another 12 apps vulnerable to the Log4Shell flaw, while its Patch Tuesday release includes 21 other fixes, some rated at 9.9 criticality.
SAP has identified 32 apps that are affected by CVE-2021-44228 – the critical vulnerability in the Apache Log4j Java-based logging library that’s been under active attack since last week.
As of yesterday, Patch Tuesday, the German software maker reported that it’s already patched 20 of those apps, and it’s still feverishly working on fixes for 12. SAP provided workarounds for some of the pending patches in this document, accessible to users on the company’s support portal.
The news about Log4Shell has been nonstop, with the easily exploited, ubiquitous vulnerability spinning off even more dangerous variations, being associated with yet another vulnerability in Apache’s fast-baked patch and threat actors jumping it on a global scale.
Between Sunday and Wednesday morning ET, SAP had released 50 SAP Notes and Knowledge Base entries focusing on Log4j.
But hard though it may be to believe, there are other SAP security matters to attend to besidea Logapalooza, including fixes for other severe flaws in the company’s products. On Tuesday, SAP released 21 new and updated security patches, including four HotNews Notes and six High Priority Notes.
“HotNews” is the highest-severity rating that SAP doles out. Three of December’s HotNews-rated bugs carried a CVSS rating of 9.9 (out of 10) and the fourth hit the top mark of 10.
Thomas Fritsch, an SAP security researcher at enterprise security firm Onapsis, said in his SAP Patch Tuesday writeup that the number of HotNews Notes may seem high, but one of them – #3089831, tagged with a CVSS score of 9.9 – was initially released on SAP’s September 2021 Patch Tuesday. Covering an SQL-injection vulnerability in SAP NZDT Mapping Table Framework, the note was updated in the December Patch Tuesday batch with what Fritsch said was information about possible symptoms. “SAP explicitly says that the update does not require any customer action,” he noted.
Another of the HotNews Notes – #2622660 – is rated a top criticality of 10, but it’s the continuously recurring HotNews Note that provides an SAP Business Client Patch with the latest tested Chromium fixes.
“SAP Business Client customers already know that updates of this note always contain important fixes that must be addressed,” Fritsch said. “The note references 62 Chromium fixes with a maximum CVSS score of 9.6 — 26 of them rated with High Priority. The last number only reflects vulnerabilities that were reported externally, as Google doesn’t provide such information about internally detected issues.”
Taking these out, what’s left of the most critical non-Log4Shell patches are a duo for SAP Commerce that were both released with a CVSS criticality of 9.9, and which are detailed below.
This note is for a code-execution vulnerability in SAP Commerce, localization for China, that covers 11 related CVEs. SAP has tagged it with a CVSS score of 9.9. The note patches multiple code-execution vulnerabilities in the product. Fritsch noted that the localization for China package uses the open-source library XStream: a simple library that serializes objects to XML and back again.
SAP’s note provides a patch for version 2001 of the localization for China package, meaning that SAP Commerce customers using a lower version need to upgrade before applying the patch, Fritsch said. He pulled out two things worth mentioning when comparing the note’s CVEs with the patches listed on https://x-stream.github.io/security.html:
“As a workaround, affected customers can also directly replace the affected XStream library file with its latest version,” Fritsch advised.
This one, which is also tagged with a CVSS score of 9.9, patches a code injection issue in a text extraction report of the Translation Tools of SAP ABAP Server & ABAP Platform.
Found in Versions 701, 740, 750, 751, 752, 753, 754, 755, 756 and 804, the vulnerability allows an attacker with low privileges to execute arbitrary commands in the background, Fritsch explained. The fact that such an attacker would need at least a few privileges to exploit the vulnerability bumped its CVSS score down from 10, he said.
“The provided patch just deactivates the affected coding,” Fritsch continued. “The report is only used by SAP internally, was not intended for release, and does not impact existing functionality.”
Those who can access the note and who are interested in which report is affected can get that information in the “Correction Instructions” section by activating the tab “TADIR Entries,” Fritsch said.
SAP Commerce is also affected by these two notable High Priority notes.
Tagged with a CVSS score of 8.8, the first high-priority note addresses SAP Commerce installations configured to use an Oracle database, according to Fritsch. “The escaping of values passed to a parameterized “in” clause, in flexible search queries with more than 1000 values, is processed incorrectly,” he explained. “This allows an attacker to execute crafted database queries through the injection of malicious SQL commands, thus exposing the backend database.”
SAP Commerce customers using the B2C Accelerator are also affected by SAP Security Note #3113593, tagged with a CVSS score of 7.5. The flaw can allow an attacker with direct write access to product-related metadata in B2C Accelerator to exploit a vulnerability in the jsoup library responsible for metadata sanitization before it’s processed, Fritsch said, allowing the attacker to inflict long response delays and service interruptions that result in denial of service (DoS).
Another high-priority note, in SAP Knowledge Warehouse (SAP KW), is #3102769, tagged with a CVSS score of 8.8. The note patches a cross-site scripting (XSS) vulnerability that can result in sensitive data being disclosed.
“The vulnerability affects the displaying component of SAP KW and SAP explicitly points out that the pure existence of that component in the customer’s landscape is all that is needed to be vulnerable,” Fritsch cautioned.
Customers who don’t actively use the displaying component of SAP KW may still experience a security breach, he noted.
The note details two possible workarounds:
With a CVSS score of 8.4, SAP Security Note #3123196 describes a code injection vulnerability in two methods of a utility class in SAP NetWeaver AS ABAP.
“A highly privileged user with permissions to use transaction SE24 or SE80 and execute development objects is able to call these methods and provide malicious parameter values that can lead to the execution of arbitrary commands on the operating system,” Fritsch elucidated.
SAP fixed the problem by integrating the affected methods directly into the class without the possibility of passing parameters to those methods. Fritsch said that the affected classes and methods are available in the “Correction Instructions” section by selecting the tab “TADIR Entries.”
This one, which patches a directory-traversal vulnerability in the SAF-T framework, is tagged with a CVSS score of 7.7. It addresses an issue with the SAF-T framework, which is used to convert SAP tax data into the Standard Audit File Tax format (SAF-T) – an OECD international standard for the electronic exchange of data that enables tax authorities of all countries to accept data for tax purposes – and back.
The note describes how an insufficient validation of path information in the framework allows an attacker to read the complete file-system structure, Fritsch explained.
Fritsch pointed to the Log4j vulnerability and the vulnerabilities described in SAP Security Notes #3109577 and #3113593 as demonstrating “that there is always a risk involved when using open-source libraries.”
Besides the Log4Shell elephant in the room, recent examples that prove his point about the risks entailed by relying on the security of outside code include, for example, the recent discovery of three malicious packages hosted in the Python Package Index (PyPI) code repository that collectively have more than 12,000 downloads: downloads that potentially translate into loads of poisoned applications.
Another of many examples of how the software supply chain has become an increasingly popular method of distributing malware cropped up last week, when a series of malicious packages in the Node.js package manager (npm) code repository that looked to harvest Discord tokens was found.
External libraries are convenient, but are they worth the risk? You have to do the math to figure that out, Fritsch summed up: “The ability to implement new features in a short period of time is bought at the price of dependence on the security of the external libraries. Remember, a software product is only as secure as its weakest software component.”
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Share this article:
More than 1.8 million attacks, against half of all corporate networks, have already launched to exploit Log4Shell.
“Owowa” stealthily lurks on IIS servers, waiting to harvest successful logins when an Outlook Web Access (OWA) authentication request is made.
Not only is the jaw-dropping flaw in the Apache Log4j logging library ubiquitous; Apache’s blanket of a quickly baked patch for Log4Shell also has holes.
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
There’s a sea of unstructured data on the internet relating to the latest #cybersecurity threats. Join Threatpost’s… https://t.co/y6ZfyTh5I0
5 days ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.