Onapsis Assists SAP in Patching Vulnerable Updates

After finding several vulnerabilities during a routine release, SAP has published 17 new and updated Security Notes on its March Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes four HotNews Notes and one High Priority Note.

The Onapsis Research Labs contributed significantly to this SAP Patch Tuesday. In addition to supporting SAP in patching the Missing Authentication vulnerability described in HotNews Note #3145987, assistance was given to SAP with patching three other vulnerabilities, one of them rated with High Priority.

The Onapsis Research Labs detected the critical vulnerability which allows an attacker to access administrative or other privileged functionalities and read, modify, or delete sensitive information and configurations. The only thing that prevents it from being tagged with a CVSS score of 10 is that, for a successful exploit to occur, local OS access to the SAP Focused Run system—or to one of the managed systems—is required. However, a successful exploit can lead to a complete compromise of the affected system.

In order to patch the vulnerability, SAP customers need to update both the SAP Simple Diagnostics Agent and the SAP Host Agent.

SAP Security Note #3154684, tagged with a CVSS score of 10.0, is another Log4j patch. It affects the SAP Work Manager and SAP Inventory application. Both applications run on SAP Mobile Platform (SMP) and only on-premise installations of the SMP are affected. The note recommends upgrading to SAP Work Manager 6.6.1 and/or SAP Inventory Manager 4.4.1 since  these application versions were built with the new library versions of the log4j library. As a workaround, a direct replacement of the vulnerable log4j library on the SMP server can be implemented. Due to the fact that SAP Work Manager versions prior to 6.4 do not use log4j libraries, they are not affected by the Log4j vulnerabilities.

AP Security Note #3149805, tagged with a CVSS score of 8.2, patches a Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad. Our research team detected that SAP Fiori launchpad allows an unauthenticated attacker to manipulate the SAP-theme URL parameter —  and inject HTML code — and create a link over the network for a user to click on. Once the link is clicked, successful exploitation allows the attacker to hijack user privileges that can be used to exfiltrate data and craft a CSRF attack to manipulate data. This can limit the application’s confidentiality and pose risks to its integrity, as well as increase the likelihood of it being completely compromised.

Since SAP Focused Run was the focus of its current investigation, the Onapsis Research Labs also helped SAP with patching two additional vulnerabilities for that application:

SAP Security Note #3147283, tagged with a CVSS score of 5.4, patches a Cross-Site Scripting (XSS) vulnerability in the Real User Monitoring application of SAP Focused Run. Insufficient input validation in the SAP Focused Run REST can lead to a remote attack, but with limited impact on the system’s confidentiality and integrity.

SAP Security Note #3147102, tagged with a CVSS score of 5.3, patches another vulnerability in the SAP Diagnostics Agent. A successful exploit allows an attacker to gather information that can be used to exploit open source security exploits in the future.

Fourteen of the 17 patched vulnerabilities were reported by external contributors and 5 of these by the Onapsis Research Labs. This demonstrates the importance of external researchers, like Onapsis Research Labs, to the SAP ecosystem.

As a major provider for software solutions protecting business-critical applications, Onapsis continues to invest in its research and proactively analyze and investigate developments in business-critical applications to deliver security insights and threat intelligence.

For more information about this news, visit