Highlights of November SAP Security Notes analysis include:

• November Summary – Six new and updated SAP security patches released, including two HotNews Notes and four Medium Priority Notes
• SAP Business One requires Special Attention – Improper Access Control vulnerability can lead to considerable impact on confidentiality, integrity, and availability.

SAP has published six new and updated Security Notes on its November Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes two HotNews Notes and four Medium Priority Notes. 

Minor HotNews Note Update

SAP Security Note #3340576, tagged with a CVSS score of 9.8, was initially released on SAP’s September Patch Day. It patches a critical Missing Authorization Check in the SAP CommonCryptoLib that could result in a complete compromise of the affected application. SAP has released an update of the note with minor text changes affecting the referenced SAP Note in the Solution section for SAP HANA Database 2.0 customers on SPS06.

New HotNews Note for SAP Business One

The only new HotNews Note is SAP Security Note #3355658 which is tagged with a CVSS score of 9.6. This note patches an Improper Access Control Vulnerability caused by the SAP Business One installation process. The process allows anonymous users read and write access to the SMB shared folder. Affected components are Crystal Report (CR) shared folder, Traditional Mobile app (attachment path), RSP (log folder logic), Job Service and BAS (file upload folder). 

Although the note only provides a hotfix for SAP Business One 10.0 SP 2308, installations on lower support package (SP) levels are also affected by the vulnerability. Since there is neither a hotfix nor an appropriate and safe workaround available for these lower SP levels, affected customers have to update their installation to SP 2308 and implement the provided hotfix. Customers should also read the referenced FAQ note #3400236.

Further New Security Notes

Two new Medium Priority Security Notes were released, both patching an Information Disclosure vulnerability tagged with a CVSS score of 5.3. 

SAP Security Note #3362849 patches an Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform allowing unauthenticated attackers to access unintended data. The note provides a kernel patch that fixes the affected ICM component. SAP NetWeaver Application Server Java is not affected.

SAP Security Note #3366410 patches an Information Disclosure vulnerability in SAP NetWeaver Application Server Java. An unauthenticated attacker can brute-force the login functionality in NetWeaver AS Java Logon application to identify legitimate user ids. According to the SAP Note, an exploit has only an impact on confidentiality, but not on integrity or availability.

Summary & Conclusions

Calm, calmer, calmest… This could be the motto of the last three SAP Patch Days. With only six new and updated SAP Security Notes, SAP’s November Patch Day is one of the quietest we’ve seen. Nevertheless, SAP Business One customers should react quickly and follow the instructions in SAP Security Note #3355658.

As always, the Onapsis Research Labs will update The Onapsis Platform to incorporate the newly published vulnerabilities into the product, so our customers can protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, view The Defenders Digest–our monthly video recap of ERP security news.