Advisory
A note with CVSS 7.1 for component CA-UI5-CTR-BAL was released by SAP on 09.05.2023. The correction/advisory 3326210 was described with "[CVE-2023-30743] Improper Neutralization of Input in SAPUI5" and affects the system type ABAP.
A workaround exists, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is code injection within ABAP.
Missing authority checks are still the most common security defect related to authorizations in custom code. Since SAP uses an explicit authorization model, an authority checks must be coded in order to be executed. If an explicit check is not coded, all users have access. This type of vulnerability not only exists in SAP standard it also exists in customer coding. Check your custom developments for vulnerabilities that pose a risk to your systems. SecurityBridge helps detect code vulnerabilities before they are implemented in production.
Risk specification
This note has been re-released with updated 'Solution' and 'Workaround' information. Due to improper input sanitization the UI5 Control sap.m.FormattedText allows injection of untrusted CSS allowing an unauthenticated attacker to block interaction with the application or reading and modifying user's information.Solution
The affected sap.m.FormattedText SAPUI5 control added the required extra restrictions to the existing sanitization. Although an alternative solution exists, it is advisable to apply the correction! This is the workaround, which was suggested by the SAP security experts: "Sanitize by removing the values of the "style" and "class" attributes in the html input of sap.m.FormattedText control and the controls: sap.m.FormattedText: sanitize the value of its "htmlText" property;, sap.m.FeedListItem: sanitize the value of its "text" property;, sap.m.IllustratedMessage, sanitize the value of its "description" property (sanitization required only if its "enableFormattedText" property is enabled);, sap.m.InputBase (and all its subclasses), sanitize the value of its "formattedValueStateText" property. A workaround is available only if you are developing a custom UI5 applications and should be applied by the development team of your application. No workaround is available in the cases when you are reusing a standard SAPUI5 application.".
Affected System
The advisory 3326210 describes a problem within an ABAP based systems of a specific version. Affected versions are described below. ABAP software is deployed in various software components and is widely used within the SAP product portfolio.
SAP NetWeaver Application Server (formally known as SAP Web Application Server) is a building block of SAP NetWeaver. It is the foundation for most software products developed by SAP SE. SAP NetWeaver systems exist with Java and/or ABAP stacks. The advisory could be relevant for single and dual-stack ABAP installations.
The advisory is valid for
- SAP_UI 750 18
- SAP_UI 754 26
- SAP_UI 755 22
- SAP_UI 756 16
- SAP_UI 757 8
- UI_700 200 10
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Cloud Foundry
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP HANA XSA
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Edge Services On Premise Edition
