“February 2023 Patch Day”
7 x 6.1 = Enjoying the note implementation!
The second Tuesday of the month – SAP Security Patch Day: often it brings additional work. Sometimes everything goes “like clockwork” and also makes you smile when you look at the fixes. This February was such a month: Since the last deadline, a total of 26 notes were published, seven of which could be applied after comparing them with the components and Support Package statuses of our HCM system.
The thematic focus was on vulnerabilities from browser-based applications such as Cross Site Scripting (XSS) or Cross Site Request Forgery (XSRF). It is also interesting to note that these notes all received the same CVSS score of 6.1. From a implementation perspective, these fixes are “pleasant” because the changes made do not require any technical retesting. However, here is also the first “smile”:
Input Validation vs. Output Encoding
Note 3293786, titled “[CVE-2023-23858] Cross-site scripting vulnerability (XSS) in SAP NetWeaver AS,” states:
Due to insufficient input validation, SAP NetWeaver AS for ABAP and the ABAP platform allows an unauthenticated attacker to send a targeted URL to a user.
Many years ago, I learned in the “Secure ABAP Programming” training: the countermeasure of choice against XSS vulnerabilities is not input validation, but to include appropriate encoding or escaping. So, is the content of the correction wrong? No! The ESCAPE function is used – only the text is not 100% correct.
ABAP Command Injection
The second note to be mentioned here is 3287291: “[CVE-2023-23854] Missing authorization check in SAP NetWeaver AS ABAP”. This is about two remote-enabled modules that can be used to implement program changes to the ABAP code – i.e. a classic “ABAP Command Injection”.
After reviewing the source code, it is unclear whether the existing protection, e.g. via the module RS_ACCESS_PERMISSION, would be sufficient. In any case, the correction provided in the note completely deactivates both function modules – by a well-placed EXIT directly at the beginning of the source code. That’s good!
If you want to know more about the different categories of security vulnerabilities in ABAP code or the topic “Secure ABAP Programming”, please contact us!