“Patch in May or go away”
… that’s how an old stock market saying should sound if you want to adapt it to the security of IT systems: continuous patching is a must if you are serious about this goal. Accordingly, this month we also took a look at the list of advisories that SAP published as “SAP Security Patch Day – May 2022”.
In total, there are 14 notes on the list, which we – as always – want to analyze from the perspective of our own SAP HCM system.
Updates to Security Notes from previous months regarding “Spring4Shell”
The fixes are led by four notes (3170990, 3189409, 3171258, 3189635) about Spring Framework – some of them are also updates from last month. After downloading them into the Note Assistant (SNOTE), they are rated as “not implementable”.
However, since the underlying vulnerabilities have been rated with almost maximum criticality (CVSS Score = 9.8), it is still recommended to take a look at the note. On the one hand, to check whether manual activities such as installing support packages may be necessary (see from the previous month the UI5 framework patch in 3126557). On the other hand, these notes usually reference others, which then have to be downloaded again – see note 3170990). With respect to our HCM system, there are no necessary activities.
A total of 5 notes in our HCM system were easily implementable in SNOTE. On the one hand, because vulnerabilities like Cross Site Scripting were addressed, whose correction is technical and does not require a retest (3124994, 3146336). The notes on missing authorization checks could be implemented immediately in our environment (3165801).
Information Disclosure in HCM Employee Self Services
Another aspect is the question if the affected module is used at all (if no, you can import directly). However, a clear “yes” is the answer to this question when it comes to note 3164677 Information Disclosure vulnerability in SAP Employee Self Service (Fiori My Leave Request). This is because ESS scenarios are used intensively in our company.
The note text states, “Due to insufficient input validation, SAP Employee Self-Service allows an authenticated attacker with user privileges to change the employee number. After successful exploitation, the attacker can view personal details of other users, which to some extent compromises the confidentiality of the application.”
While it is not named here what specific data can be viewed – personal data is certainly affected in the case of the “My Leave Requests” Fiori-App. This conflicts with the requirement of access control as defined by the GDPR. Therefore, after consultation with the application owners and a review of the correction, we also applied this patch immediately.
This concludes our blog on the patch activities in May – we will report back here in four weeks.