SAP published its Security Patch Day document for October 2022. Five new high-severity security notes and one update, including three that address BusinessObjects information disclosure vulnerabilities and one that addresses a buffer overflow in SAP SQL Anywhere and SAP IQ.
There are also “hot news” notes to address two critical vulnerabilities in SAP products.
CVE-2022-39802: Path Traversal Vulnerability (CVSS score: 9.9)
The Work Instruction Viewer (WI500) and Visual Test and Repair plugins are impacted by the vulnerability present in the Manufacturing Execution product.
“The URL to request this information included a file path parameter that could be manipulated to allow arbitrary traversal of directories on the remote server.”, explains Onapsis. Each directory’s file content could be read by the OS user running the NetWeaver process or service.
SAP advises users that are unable to patch, as a mitigation method for CVE-2022-39802, to remove any sensitive data from the file systems that are accessible to the OS user, as well as to limit access to file paths that are unnecessary for this user.
CVE-2022-41204: Account Hijacking Vulnerability (CVSS score: 9.6)
The vulnerability affects the SAP Commerce login form and allows URL redirection. An attacker could inject redirect information into the URLs that are called when a login form is submitted. This may result in account hijacking and exfiltration of sensitive data to an attacker-controlled server.
Attackers didn’t need any special permissions to launch an exploit, but they required a user to click the malicious link that opens the faked login form to carry it through.
By utilizing phishing techniques to spread the manipulated URL to legitimate SAP Commerce users, threat actors can deceive users into clicking this type of link, according to Onapsis.
SAP mentions two methods of mitigation for CVE-2022-41204:
- Disabling the affected OAuth extension. (Other integrations may rely on this extension)
- Filtering malicious HTTP requests: SAP lists directives that can prevent SAP Commerce from processing altered requests and instead reply with status code 404.
Other Fixed Vulnerabilities
The remaining two notes fix 17 issues with 3D Visual Enterprise Viewer and 26 bugs with 3D Visual Enterprise Author. By tricking users into opening altered files in 3D Visual Enterprise Viewer/Author, an attacker might execute arbitrary code or cause a denial of service (DoS).
The remaining nine security notes address vulnerabilities in BusinessObjects, Enable Now, Commerce, Customer Data Cloud (Gigya), and Data Services Management Console with medium-severity information disclosure and cross-site scripting (XSS) risk.