On 9th of August 2016, SAP released its monthly critical patch update consisting of 13 SAP Security Notes, plus 17 Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.
To help everyone who is engaged in SAP patching process, ERPScan research team prepared a detailed review of the released SAP Security notes and guidelines on their implementation. This analysis would also be useful for the companies that provide SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing .
SAP Security Notes August 2016
SAP’s critical patch update for August 2016 closes 30 vulnerabilities in SAP products in total including 26 SAP Security Patch Day Notes and 4 Support Package Notes. 17 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 14 of all the Notes are updates to previously released Security Notes.
14 of the released SAP Security Notes have a high priority rating and 1 has a Hot News rating. The highest CVSS score of the vulnerabilities is 7.5.
The most common vulnerability type is Cross-Site Scripting.
Most of the vulnerabilities belong to the Java platform.
Priority vs. Application type distribution
The fact that SAP Systems are complex is a common place. However, then it comes to SAP Security Notes Implementation, one should take it into account. To simplify this process, ERPScan research team created a table showing a distribution between priority and application area.
|Business intelligence solutions||2249634|
|Supply Chain Management||2317358|
|Environment, Health and Safety||1540408|
The most critical SAP Security notes to implement
The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2292714: SAP Memory Snapshot Creation has a Denial of service vulnerability (CVSS Base Score: 7.5). An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this time, nobody can use this service, this fact negatively affect business processes, system downtime and, as a result, business reputation. Install this SAP Security Note to prevent the risks.
- 2319506: SAP Database Monitors for Oracle has a SQL Injection vulnerability (CVSS Base Score: 7.2). An attacker can use an SQL Injection vulnerability by specially-crafted SQL queries. It allows reading and modifying sensitive information from a database, executing administration operations on a database, destroying data or making it unavailable. Also in some cases, an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
- 2294866: SAP JMS Provider Service has a Missing Authorization Check vulnerability (CVSS Base Score: 6.4 ). An attacker can use a Missing Authorization Check vulnerability to access a service without any authorization procedures and use service functionality, which has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent risks.
SAP notes implementation in Java stack
SAP Security Notes implementation is not a one-time action but a continuous process, which should be conducted on a regular basis. Unfortunately, this process is not simple and required an in-depth understanding of SAP environment and security, and what’s more important, the security processes in specific to an SAP landscape. Not least because the complexity and interconnection of the software, fixing one problem may in its turn introduce another, causing a knock-on effect across a whole system and the potential downtime of service. ERPScan research team helps to mitigate this issue by introducing its series of SAP Security notes implementation guidelines.
Today we are patching SAP JAVA component BPEM PORTAL CONTENT by using information from SAP Security Note 2296909 released this August. For our tests, we have SAP NetWeaver as JAVA 7.31 with BPEM-PP 7.31 version 18 SP 00 patch.
1) First of all, we need to download a required patch. Log in to the SAP Launchpad using your credential. To find a required component, you can use search functionality.
2) Select “Downloads” and enter “BPEM PORTAL CONTENT 7.31”
3) Choose the required patch. For our system, it’s BPEM PORTAL CONTENT 7.31 SP018 with patch 000001 (file name BPEMPP18P_1-20007114.SCA).
4) Put the downloaded file BPEMPP18P_1-20007114.SCA to C:\usr\sap\trans\EPS\in (Windows) or /usr/sap/trans/EPS/in (Linux)
5) Use a Telnet to connect to a server on port 5NN08 where NN is an instace.
6) Enter the username and password.
7) Use the command “deploy path_to_file” to deploy the patch.
8) As a result of the deploying, you will get a Successful status.
9) Now we can check the version on the web page http(s)://host:5NN00/nwa/sysinfo in “Components Info” tab.
ERPScan highly recommends that SAP customers implement SAP Security notes to prevent business risks affecting your SAP systems as soon as patches are released.