Like previous months, we are looking at a similar number of released SAP notes. Interestingly, all 14 notes are new this time, no updates on existing notes! See below for the highlights.

HotNews

First things first, so we first look at the notes with the highest priority (HotNews).

When it comes to system communication or integration, this normally concerns ‘external’ communication. That is: 2 components communicating that are clearly different or apart from each other. Often referred to as a client (initiator) and a server (receiver) component, like a browser and a web server, etc. However, what is sometimes easily overlooked, is the fact that many systems have internal communication as well. This means components of the same system that exchange information of various sorts. Note 3537476 describes a critical vulnerability of this type of communication in SAP ABAP systems. Without the kernel corrections of this note, credentials of internal communication can be obtained and the system be seriously compromised. So apply this kernel patch!

Note: the SecurityBridge Threat Detection module actively monitors for usage of critical programs and transactions (among many other things). When programs are found to be vulnerable (like above), these items are added to the default SecurityBridge configuration and immediately distributed to customers.

Next up is note 3550708 which describes how a test program can be used to execute transaction SA38, which is used to execute programs in SAP ABAP systems. As the note makes clear, this test utility is part of the delivery of virtually every common SAP BASIS component which makes this a vulnerability that can be exploited very widely! Implementation of the note simply renders the test program useless. The note should be easy to implement on any SAP system and it is highly advised to do so ASAP. This is a clear example of how easily vulnerabilities can be introduced unintentionally!

SQL Injection vulnerability – a SecurityBridge find!

Client-side vulnerabilities

When it comes to SAP Security patching, it is the main SAP systems and services that come to mind first. That makes sense, but it is important to realize that many tools, utilities, and other components exist in the SAP domain that can be vulnerable. Or introduce risk not so much on the server-side, but more on the client side of the spectrum. This month, we see a few examples of this category:

Note 3542533 describes a vulnerability in SAPSetup, a tool used for the installation of SAP components. When using a non-patched version, a DLL injection is possible. As a best practice: always use the latest installation tools when starting with a new installation cycle.

Client-side vulnerabilities with SAP GUI have been released for different variants:

• Note 3502459 addresses an issue with SAP GUI for Java. User input is being stored in unencrypted format on the client side, which can be later retrieved and exploited.
• Note 3472837 describes a similar issue as above for the SAP GUI on Windows with storage of client-side information. A workaround is available but it is preferred – obviously – to apply the updated version.
• Note 3503138 again describes a similar issue but then when using the SAP GUI for HTML. The difference here is that no client installation software is used but a server software patch is needed. The patch is not available yet but a workaround needs to be applied.

Other

The remaining notes concern Business Objects, SAP NetWeaver Java, and SAP ABAP systems. These notes require the same due attention and implementation where applicable. For a complete list, see below.