SAP has released new patches after facing scrutiny for the “discovery of critical vulnerabilities that could severely compromise system integrity and security”, according to Sukru Ilker Birakoglu, senior director at Logpoint.
In response, SAP published two patches relating to the security of the SAP systems: CVE-2023-35871: SAP Web Dispatcher Memory Corruption and CVE-2023-37491: Authorization Check Vulnerability in SAP Message Server.
Birakoglu describes the SAP Web Dispatcher as a “critical component in many architectures”. The message server is a central communication component in the SAP network as it facilitates communication between the application and the server.
A vulnerability in the authorization check of the SAP Message Server can potentially allow malicious users to gain access to the network, granting them the ability to read/write data and even rendering the system unavailable.
As a means of solving these vulnerabilities, Birakoglu shares the following recommendations released by SAP:
SAP advises the user to install and implement a Kernel Patch, which is described as a generally complex task for companies as it involves extensive testing and quality assurance procedures.
Another option, referred to as a workaround, is to adjust SAP Profile Parameters with the following specific SAP profile parameter settings:
Set icm/HTTP/support_http2 to FALSE
Set system/secure_communication to OFF
Applications that do not have HTTP/2 enabled are considered not vulnerable to CVE-2023-35871. As a result, a workaround solution to mitigate these vulnerabilities is to simply disable the support for HTTP/2 in the affected applications. This may have a performance impact but should remain functionally equivalent to HTTP/2.
To disable the support for HTTP/2, the profile parameter icm/HTTP/support_http2 should be set to FALSE. The location of this configuration will depend on the affected product – for the ICM in the SAP NetWeaver ABAP, it should be configured in the DEFAULT profile.