Advisory
On 11.04.2023 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within Kernel.
SAP Note 3315312 addresses "[CVE-2023-29108] IP filter vulnerability in ABAP Platform and SAP Web Dispatcher" to prevent weak security function with a medium risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specification
The IP filter in ABAP Platform and SAP Web Dispatcher may be vulnerable to incorrect IP netmask handling, allowing an attacker to bypass those restrictions.Solution
The netmask matching has been updated to now properly match on all netmasks. Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "Entries with some specific netmask suffixes are able to correct the matching behavior for the whole permission table. The matching of IP addresses can be corrected by adding an entry with a suffix of /31, for example 127.0.0.0/31.".
The advisory is valid for
- KERNEL 7.85 25
- KERNEL 7.89 16
- KERNEL 7.91 6
- WEBDISP 7.85 11
- WEBDISP 7.89 7
- 7.8 [CVE-2023-30533] Prototype Pollution in SAP S/4 HANA (Manage Supply Protection)
- 6.2 [CVE-2023-40623] Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer)
- 4.7 [CVE-2024-41732] Improper Access Control in SAP Netweaver Application Server ABAP
- 4.3 [CVE-2024-45277] Prototype Pollution vulnerability in SAP HANA Client
- 4.3 [CVE-2024-45282] HTTP Verb Tampering in SAP S/4 HANA(Manage Bank Statements)
