Analyzing SAP Security Notes May 2014 Edition
SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated. In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases their latest Security Notes information on the second Tuesday of every month. Due to this regular disclosure of new security issues that could potentially weaken the security of SAP systems within an organization, it’s highly recommended to carry out periodic assessments on a monthly basis at least. At Onapsis we are very concerned about our client’s SAP system security and also the state of SAP security in general, so to assist our customers, we perform a detailed analysis of the monthly SAP Security Notes as soon as they are published. The goal of this is to provide SAP clients with detailed information about the newly released notes and vulnerabilities affecting their SAP systems and help guide their testing of these systems within their organization. This month 17 Security Notes were published by SAP (taking into account 1 Support Package Note and 16 Patch Day Notes). There were four notes reported by external researchers, Onapsis Research Labs reported 1 of the four notes (2009696) a XSS vulnerability in SAP HANA by Will Vandevanter.
This month the most important note is 2015882 - "Apache Struts 2 Vulnerability in SAP Online Banking", released as hot news. It addresses a critical vulnerability in Apache Struts (CVE-2014-0112) that could allow for remote code execution on the vulnerable system. UPDATE: Also Notes 2007688, 2006177 and 2005441 reference Products and versions affected by the Heartbleed vulnerability, those were also released as Hot News but prior to the Patch day. Other attack vectors patched this month:
- Missing authority checks: Notes 1889999, 1915920, 2000476 and 1997788 (with CVSS's between 3.5 and 6.0)
- Cross Site Scripting (XSS):
- Unauthenticated: Notes 1621071, 1979438, 1941796, 2009696
- Authenticated: Note 1990115
- Information disclosure: Notes 1966995 and 1977754
Each month Onapsis updates our flagship product Onapsis X1 to allow you to check whether your systems are up to date with these latest SAP Security Notes as well as ensuring those systems are configured with the appropriate level of security to meet your audit and compliance requirements. Stay tuned for next month’s Security Notes analysis from Onapsis Research Labs.