SAP Security patches dwarf Log4J Vulnerability
Date: December 19th 2021
Risk: High
Well, I’m writing this possibly 5 days late, but as the saying goes it’s better late than never. LOG4J has taken the internet by storm but it’s important to take a logical view and address all critical CVE and ensure we remain focused on enterprise security as a whole. One takeaway is to understand and have a complete inventory or Asset list which includes versions and application services publicly exposed. You can even create google alerts to help track new RCE and CVE for each topic.
SAP, in general, has identified 32 apps that maybe be affected by CVE-202-44228 plus a December patch cycle also includes Code Execution and Injection vulnerabilities where some have dated back to September 2021.
Regardless is brings up the conversation of WAF (Web Application Firewall) and layered security approach. A web application firewall may not give 100% protection but it does drastically lower your risk as a company and may also be used to mitigate critical CVE. All CISO and C-level executives should understand the approach of a layered security model and map security controls against application services to better understand risk. Has your organization implemented a zero trust model with layered security?
Summary of SAP CVE
| Note# | Title | Priority | CVSS |
| 2622660 | Update to Security Note released on Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product – SAP Business Client, Version – 6.5 | Hot News | 10 |
| 3109577 | Code Execution vulnerability in SAP Commerce, localization for China Related CVEs – CVE-2021-21341,CVE-2021-21342,CVE-2021-21349,CVE-2021-21343,CVE-2021-21344,CVE-2021-21346,CVE-2021-21347,CVE-2021-21350,CVE-2021-21351,CVE-2021-21345,CVE-2021-21348Product – SAP Commerce, localization for China, Version – 2001 | Hot News | 9.9 |
| 3119365 | [CVE-2021-44231] Code Injection vulnerability in SAP ABAP Server & ABAP Platform (Translation Tools) Product – SAP ABAP Server & ABAP Platform (Translation Tools), Versions – 701, 740,750,751,752,753,754,755,756,804 | Hot News | 9.9 |
| 3089831 | Update to Security Note released on September 2021 Patch Day: [CVE-2021-38176] SQL Injection vulnerability in SAP NZDT Mapping Table Framework Product – SAP S/4HANA, Versions – 1511, 1610, 1709, 1809, 1909, 2020, 2021 Product – SAP LT Replication Server, Versions – 2.0, 3.0 Product – SAP LTRS for S/4HANA, Version – 1.0 Product – SAP Test Data Migration Server, Version – 4.0 Product – SAP Landscape Transformation, Version – 2.0 | Hot News | 9.9 |
| 3114134 | [CVE-2021-42064] SQL Injection vulnerability in SAP Commerce Product – SAP Commerce, Versions – 1905, 2005, 2105, 2011 | High | 8.8 |
| 3102769 | [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse Product – SAP Knowledge Warehouse, Versions – 7.30, 7.31, 7.40, 7.50 | High | 8.8 |
| 3123196 | [CVE-2021-44235] Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP Product – SAP NetWeaver AS ABAP, Versions – 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756 | High | 8.4 |
| 3077635 | [CVE-2021-40498] Denial of service (DOS) in the SAP SuccessFactors Mobile Application for Android devices Product – SAP SuccessFactors Mobile Application (for Android devices), Versions – <2108 | High | 7.8 |
| 3124094 | [CVE-2021-44232] Directory Traversal vulnerability in SAF-T Framework Product – SAF-T Framework, Versions – SAP_FIN 617, 618, 720, 730, SAP_APPL 600, 602, 603, 604, 605, 606, S4CORE 102, 103, 104, 105 | High | 7.7 |
| 3113593 | Denial of service (DOS) in SAP Commerce Related CVE – CVE-2021-37714 Product – SAP Commerce, Versions – 1905, 2005, 2105, 2011 | High | 7.5 |
| 3000663 | Update to Security Note released on July 2021 Patch Day: [CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager Product – SAP Web Dispatcher and Internet Communication Manager, Versions – KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.73, WEBDISP 7.53, 7.73, 7.77, 7.81, 7.82, 7.83, KERNEL 7.21, 7.22, 7.49, 7.53, 7.73, 7.77, 7.81, 7.82, 7.83 | Medium | 5.4 |
| 3121165 | [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer CVEs – CVE-2021-42068,CVE-2021-42070, CVE-2021-42069, CVE-2021-42069 Product – SAP 3D Visual Enterprise Viewer, Version – 9 | Medium | 4.3 |
| 2843016 | Update to Security Note released on November 2019 Patch Day: [CVE-2019-0388] Content spoofing vulnerability in UI5 HTTP Handler Product – SAP UI, Versions – 7.5, 7.51, 7.52, 7.53, 7.54 Product – SAP UI 700, Versions – 2.0 | Medium | 4.3 |
| 3103677 | [CVE-2021-42061] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform (Web Intelligence) Product – SAP BusinessObjects Business Intelligence Platform, Version – 420 | Medium | 4.1 |
| 3080816 | [CVE-2021-44233] Missing Authorization check-in GRC Access Control Product – SAP GRC Access Control, Versions – V1100_700, V1100_731, V1200_750 | Low | 2.4 |
Reference:
https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021
https://onapsis.com/blog/sap-security-patch-day-december-2021-patch-day-shadow-log4j