Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
SAP Business Client; version - 6.5 PL5 and above; CVSS score 9.8
SAP Business Client is a user interface client that presents a single entry point to different SAP business applications and technologies. SAP Business Client supports single sign-on, so there is no need to login at multiple places to access different applications.
For the first time in SAP Business Client history, starting with version 6.5, SAP has offered a Chromium web browser control based on Chromium Embedded Framework (CEF) as an alternative to Microsoft Internet Explorer. You can now use the browser control Chromium for displaying HTML content within the SAP Business Client. According to the SAP Product Security Teamand the Onapsis Research Labs, SAP applications can be vulnerable if the SAP Business Client is running on an outdated Chromium application.
The CVSS score for this vulnerability is high because if the SAP Business Client release is not updated accordingly, this could lead to:
Unplanned downtime
A breach disclosing sensitive Information
Memory corruption
System information disclosure or system crash in worst cases
Vulnerabilities with a direct impact on confidentiality, integrity and availability of the system
Information being gathered for future attacks, possibly with more severe consequences
Learn more about the SAP Business Client on the SAP Help Portal.
#2 Impacted System and Version - Critical Note
Solution Manager, version - 7.2; CVSS score 7.1 , CVE-2019-0291
SAP Solution Manager, aka SolMan, is an SAP application that provides key support to IT infrastructure for SAP applications in a distributed environment.
CA Introscope helps in monitoring and managing Java applications. It consists of a component called the Introscope Enterprise Manager (EM), and an Introscope Java agent is installed on the managed systems. For Solution Manager capability Monitoring and Alerting Infrastructure (MAI) the CA Introscope Enterprise Manager (EM) offers the service Introscope Push to actively push monitoring metrics from EM to Solution Manager. Introscope Push is calling a Web Service of Solution Manager that needs authentication.
The issue surrounds how the user credentials are stored, according to SAP if these credentials are compromised under certain conditions, Solution Manager 7.2 allows an attacker to access information which would otherwise be restricted. Some well-known impacts are:
Loss of information and system configuration confidentiality
Information gathering for further exploits and attacks
Note : As you deploy the OSS (On-line Service System, that helps users to get fast and effective help from SAP) notes, do not ignore the manual notes recommended.
Most of the vulnerabilities fixed by SAP are reported by third-party security researchers. Thanks to the community for their contribution.
Many exploitation events are seen shortly after the release of a patch. The dark web buzz begins to pick up with the information provided by SAP Patch Tuesdays. A detailed analysis of the patch helps threat actors immediately take advantage of the previously undisclosed vulnerabilities that remain in unpatched systems.
Organizations should set aside time to deploy security patches, remember, threat actors are not waiting for you. Although the complexity of deploying security patches to production and the change management life cycle in a big enterprise is understandable, it's equally important that external threat actors are not taking advantage of this loophole. As a recommendation, organizations should have a process for continuous monitoring around SAP vulnerabilities, while at the same time your SAP Basis and security administrators are working on patching the system.