www.belgium.be Logo of the federal government

WARNING: 4 CRITICAL VULNERABILITIES IN SAP PRODUCTS

Reference: 
Advisory #2022-45
Version: 
1.0
Affected software: 
SAP BusinessObjects Business Intelligence Platform, Versions 420 and 430
SAP NetWeaver Process Integration, Version 7.50
SAP Commerce, Versions 1905, 2005, 2105, 2011 and 2205
Type: 
Multiple types (Server-Side Request Forgery; Improper Access Control; Remote Code Execution)
CVE/CVSS: 

CVE-2022-41267 (CVSS: 9.9)
CVE-2022-41272 (CVSS: 9.9)
CVE-2022-42889 (CVSS: 9.8)
CVE-2022-41271 (CVSS: 9.4)

Date: 
14/12/2022

Sources

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Risks

On the 13th of December 2022 SAP disclosed several vulnerabilities affecting their products.  

Certain versions of BusinessObjects Business Intelligence Platform, NetWeaver Process Integration and Commerce are affected by vulnerabilities that are critical and that have a high impact on Confidentiality, Integrity, and Availability (CIA). 

Description

CVE-2022-41267 - Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform: An attacker with normal BI user privileges can upload/replace any file on Business Objects server, which enables to take full control of the system.

The impact on the Confidentiality, Integrity, and Availability of the application is HIGH.

CVE-2022-41272 - Improper access control in SAP NetWeaver Process Integration (User Defined Search): An unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver Process Integration (PI) - version 7.50 and make use of an open naming and directory API to access services, which can be used to perform unauthorized operations affecting users and data across the entire system.

The impact on Confidentiality is HIGH. The impact on Availability and Integrity of the application is LIMITED.

CVE-2022-42889 - Remote Code Execution vulnerability associated with Apache Commons Text in SAP Commerce: Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation.

In versions 1.5 through 1.9, the set of default Lookup instances included interpolators that could result in Remote Code Execution on the affected servers. These lookups are:

  • "script" (execute expressions using the JVM script execution engine),
  • "dns" (resolve dns records),
  • "url" (load values from urls).

CVE-2022-41271 - Improper access control in SAP NetWeaver Process Integration (Messaging System): An unauthenticated attacker can attach to an open interface exposed through JNDI by the Messaging System of SAP NetWeaver Process Integration (PI) - version 7.50. The attacker can use an open naming and directory API to access services that could perform unauthorized operations.

These operations can be used to:

  • Read any information
  • Modify sensitive information
  • Conduct Denial of Service (DoS) attacks
  • SQL Injection

The impact on Confidentiality and Availability is HIGH. The impact on Integrity is LIMITED.

Recommended Actions

CERT.be recommends system administrators to apply the latest patches released by the vendor as soon as possible.
When patching, external facing systems should be prioritised.

Patched versions of the affected components are available at the SAP One Support Launchpad (login required).

link: https://launchpad.support.sap.com/

References