On November 11, SAP released 18 new security patch notes and two updated security patches as part of its monthly SAP Security Patch Day feature. Three of the security patches are rated as critical priority, one is high priority, 14 are medium priority, and two are low priority.
SAP encourages customers to visit its Support Portal to apply the patches accordingly.
Critical Priority Security Patches
SAP assigned a high priority to the following security notes based on the Common Vulnerability Scoring System (CVSS):
- The Insecure key and Secret Management vulnerability in SQL Anywhere Monitor (Non-Gui), Note# 3666261, had a 10.00 out of 10.00 CVSS rating;
- The Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java, Note# 3660659, had a 10.00 CVSS;
- The Code Injection vulnerability in SAP Solution Manager, Note# 3668705, had a 9.9 CVSS.
SAP reported that the Insecure key and Secret Management vulnerability affects the SYBASE_SQL_ANYWHERE_SERVER 17.0 version of SQL Anywhere Monitor (Non-Gui). According to CVE, which provides cybersecurity information, the vulnerability exposes “the resources or functionality to unintended users,” which provides “attackers with the possibility of arbitrary code execution.”
The Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java—an update to a security note released in October—affects the SERVERCORE 7.50 version of SAP NetWeaver AS Java. CVE reported the deserialization vulnerability could allow an unauthenticated attacker to “exploit the system through the RMI-P4 module by submitting malicious payload to an open port.”
The Code Injection vulnerability in SAP Solution Manager affects the ST 720 version of SAP Solution Manager. CVE stated the vulnerability “allows an authenticated attacker to insert malicious code when calling a remote-enabled function module.”
Research from Onapsis and SecurityBridge Contributed
Onapsis Research Labs (ORL) reported it contributed to seven of SAP Security Notes. These included:
- OS Command Injection vulnerability in SAP Business Connector;
- Path Traversal vulnerability in SAP Business Connector;
- Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector;
- Open Redirect vulnerability in SAP Business Connector;
- JNDI Injection vulnerability in SAP NetWeaver Enterprise Portal;
- Open Redirect vulnerabilities in SAP S/4HANA landscape;
- Missing authentication in SAP HANA 2.0 (hdbrss).
SecurityBridge, meanwhile, reported it contributed to three SAP Security Notes. These included the Code Injection vulnerability in SAP Solution Manager, Missing Authorization check in SAP NetWeaver Application Server for ABAP, and Insecure File Operations vulnerability in SAP NetWeaver Application Server for ABAP (Migration Workbench).
What This Means for ERP Today Insiders
Prioritize the critical patches. The three critical security patches affect SQL Anywhere Monitor, SAP NetWeaver AS Java, and SAP Solution Manager. SAP customers using these products should review the related security notes and apply patches as soon as possible. Moreover, customers should have and follow a regular patching strategy.
Older, specialized components carry some risk. November’s SAP Security Patch Day shows that legacy SAP components, like SAP Business Connector, and specialized tools, like SQL Anywhere Monitor, require more attention from cybersecurity professionals. Given that patches often disable these components, ERP Today Insiders should evaluate and consider disabling components that are not actively in use.
Pro-active vendors make a difference. While users can wait for SAP Security Patch Day, independent vendors like Onapsis and SecurityBridge identify, assess, and redress vulnerabilities related to their customers’ exposure. Working with, or following blogs and threat intelligence from, these vendors can offer organizations a head start on addressing potentially critical issues.
