Advisory
A note with CVSS 3.2 for component BC-DB-SYB was released by SAP on 14.06.2022. The correction/advisory 3155571 was described with "[CVE-2022-31594] Privilege escalation vulnerability in SAP Adaptive Server Enterprise (ASE)" and affects the system type SAP Adaptive Server Enterprise (ASE) .
A workaround exists, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is os command injection within SAP Adaptive Server Enterprise (ASE) .
Risk specification
This note has been re-released with updated 'Symptom’ information: A highly privileged user can exploit SUID-root program to escalate his privileges to root on a local Unix system.Solution
The SUID bit is not set anymore. Although an alternative solution exists, it is advisable to apply the correction! This is the workaround, which was suggested by the SAP security experts: "Note that this workaround is a temporary fix and is not a permanent solution: If set it should be removed by executing: chmod 0755 /usr/sap/<SAPSID>/SYS/exe/run/sybctrl The database can also be started using the SAP Host Agent using the StartDatabase command.".
The advisory is valid for
- KERNEL 7.22 24
- KERNEL 7.49 23
- KERNEL 7.53 36
- KRNL64NUC 7.22 30
- KRNL64NUC 7.22EXT 30
- KRNL64NUC 7.49 24
- KRNL64UC 7.22 30
- KRNL64UC 7.22EX2
- KRNL64UC 7.22EXT 30
- KRNL64UC 7.49 24
- KRNL64UC 7.53 36
- 9.9 [CVE-2021-37531] Code Injection vulnerability in SAP NetWeaver Knowledge Management (XMLForms)
- 9.1 Update 1 to 3350297 - [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL)
- 9.1 [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL)
- 9.1 Update 2 to Security Note 2808158: [CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent
- 9.1 [CVE-2020-26820] Privilege escalation in SAP NetWeaver Application Server for Java (UDDI Server)
