SAP’s Three Critical Security Patches for November
Meet the Authors
Key Takeaways
⇨ SAP released 18 new security patch notes and two updates on November 11, including three rated as critical priority, addressing critical vulnerabilities that could allow arbitrary code execution.
⇨ Significant vulnerabilities include issues in SQL Anywhere and SAP NetWeaver AS Java, which pose immediate threats to legacy infrastructures and could provide attackers control over servers.
⇨ Third-party organisations like SecurityBridge are increasingly identifying vulnerabilities, highlighting the importance for CIOs and CISOs to strengthen third-party security partnerships for a comprehensive cybersecurity strategy.
SAP released 18 new security patch notes and two updated security patches on November 11, as part of its monthly SAP Security Patch Day feature. Here’s how these security patches have been rated:
- Three are rated as critical priority
- One is high priority
- 14 are medium priority
- Two are low priority
SAP has encouraged its users to visit its Support Portal to apply the patches accordingly.
Critical Priority Security Patches
SAP assigned high priority to the following security notes based on the Common Vulnerability Scoring System (CVSS):
Explore related questions
- The Insecure key and Secret Management vulnerability in SQL Anywhere Monitor (Non-Gui), Note# 3666261, had a 10.00 out of 10.00 CVSS rating;
- The Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java, Note# 3660659, had a 10.00 CVSS;
- The Code Injection vulnerability in SAP Solution Manager, Note# 3668705, had a 9.9 CVSS.
Additionally, SAP reported that the Insecure key and Secret Management vulnerability affects the SYBASE_SQL_ANYWHERE_SERVER 17.0 version of SQL Anywhere Monitor (Non-Gui). According to CVE, which provides cybersecurity information, the vulnerability exposes “the resources or functionality to unintended users,” which provides “attackers with the possibility of arbitrary code execution.”
The Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java—an update to a security note released in October—affects the SERVERCORE 7.50 version of SAP NetWeaver AS Java. CVE reported the deserialization vulnerability could allow an unauthenticated attacker to exploit the system through the RMI-P4 module by submitting malicious payload to an open port.
The Code Injection vulnerability in SAP Solution Manager affects the ST 720 version of SAP Solution Manager. CV stated the vulnerability “allows an authenticated attacker to insert malicious code when calling a remote-enabled function module.”
Additional Vulnerabilities Unveiled
SecurityBridge, meanwhile, reported it contributed to three SAP Security Notes. These included the Code Injection vulnerability in SAP Solution Manager, Missing Authorisation check in SAP NetWeaver Application Server for ABAP, and Insecure File Operations vulnerability in SAP NetWeaver Application Server for ABAP (Migration Workbench). Onapsis Research Labs (ORL) also reported it contributed to seven of these SAP Security Notes. These included:
- OS Command Injection vulnerability in SAP Business Connector;
- Path Traversal vulnerability in SAP Business Connector;
- Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector;
- Open Redirect vulnerability in SAP Business Connector;
- JNDI Injection vulnerability in SAP NetWeaver Enterprise Portal;
- Open Redirect vulnerabilities in SAP S/4HANA landscape;
- Missing authentication in SAP HANA 2.0 (hdbrss).
What This Means for Mastering SAP Insiders
The immediate threat is to legacy infrastructure. Manufacturing hubs like Vietnam, Thailand, and China, as well as established markets like Japan have a significant footprint of on-premise, legacy architecture. The 10/10 CVSS score for vulnerabilities in SQL Anywhere and NetWeaver AS Java represent arbitrary code execution risks. This means attackers can potentially take full control of the server. For organisations delaying their migration to SAP S/4HANA, these legacy gaps are now open doors for ransomware that could halt production lines.
The latest patches address risks to SAP Solution Manager (SolMan). Global hubs for SAP Shared Service Centers (SSCs) and Centers of Excellence (CoEs) such as India and the Philippines rely heavily on SolMan to manage, monitor, and update SAP landscapes globally. Therefore, a vulnerability in SolMan means that if an attacker compromises the system meant to manage security, they potentially gain lateral access to every connected production system. For APAC-based support teams, patching SolMan ST 720 must be the priority this week.
Third-party research is driving discovery of SAP vulnerabilities. Many vulnerabilities reported by SAP were identified by Onapsis and SecurityBridge. This highlights that some of the most dangerous vectors are being found by the ecosystem that has been built around SAP. Therefore, CIOs and CISOs should review their third-party security partnerships to ensure a more holistic cybersecurity strategy.
Premium
