Making sure that your SAP cloud connection attack surface is low.
Protect4S is a leader in Security Automation for SAP systems. In previous blogs, we have discussed security aspects of the SAP Web Dispatcher and the SAProuter For more information on our Vulnerability Management solution for SAP Systems, please visit our website: www.protect4S.com
The SAP Cloud Connector (SCC) is an SAP Infrastructure component that facilitates secure connections between SAP Cloud applications (HEC, SAP Analytics Cloud, etc.) and SAP systems located on-premise or in other clouds.
The installation of the SCC comes in 2 flavours:
- a portable version that has the following restrictions:
- You cannot run it in the background as a Windows Service or Linux daemon (with automatic start capabilities at boot time).
- The portable version does not support an automatic upgrade procedure. To update a portable installation, you must delete the current one, extract the new version, and then re-do the configuration.
- The environment variable JAVA_HOME is relevant when starting the instance, and therefore must be set properly.
- an installer version that has the following advantages:
- requires administrator or root permissions for the installation and can be set up to run as a Windows service or Linux daemon in the background. You can upgrade it easily, retaining all the configuration and customizing.
Only the installer version is recommended for production environments.
Possible security issues
SAP Customers might have an active SCC that is unsafe due to one of the following reasons:
- A lot of SCC installations have once been installed by consultancy partners working in a project context and are not considered for software updates because they were never properly handed over to the IT support organisation.
- A lot of SCC installations are installed using an older portable version and nobody is really looking forward to redoing the configuration as part of an SCC upgrade.
- The SCC is in the DMZ and access to it is strictly controlled. An upgrade requires extensive permissions and in some larger organisations, these are hard to get.
- The security recommendations of the SCC (visible in the SCC Security Status menu) were not implemented.
- Some parts of the application stack of the SCC (Tomcat, JVM) may have a vulnerability that is not mentioned in the SAP Security Notes.
How to address these points?
- As an SAP IT Support organisation, you should be aware whether your company uses any SAP Cloud based applications, because these will be listed in the Systems & Installations menu in support.sap.com. Make sure to identify all SCCs in your infrastructure that connect these applications to your On-premise environment.
- The SCC is a very important component located at the edge of an infrastructure. Like the SAP Webdispatcher and the SAPRouter, its patching policy is critical. New versions must be installed as soon as they come out.
- Often, access to critical parts of the Infrastructure like the DMZ is limited to a small group of people. While this is not necessarily a bad thing, care must be taken to enable frequent patching by fast approval of changes and access. Especially in environments where IT services have been outsourced, the people responsible for patching might get frustrated when their access is denied, and patching will no longer take place.
- The SCC has a Security Status menu item that clearly shows the actions required to harden the SCC Installation:
Make sure that these recommendations are followed up.
5. Regarding the vulnerabilities in SCC: the SAP Security Notes of the SCC can be found in the SAP Knowledge base under component: BC-MID-SCC and document type: “SAP Security Notes”. Currently, there are 3 Notes: 3058553, 2696233 and 2614141.
The SCC makes use of other components too: Tomcat and JVM. All these component versions can be seen under the About menu item when logged in under Administration as described here.
For Tomcat, you can see a list of vulnerabilities on CVEDetails:
In 2020, CVE-2020-1938 was detected, which had a CVSS Score of 7.5 (High).
For SAP JVM, there are currently no new Security Notes. See component: BC-JVM and document type: “SAP Security Notes” in the Knowledge base extended search.
For jQuery which is a part of SAPUI5 version 1.38 and higher. Several know XSS type vulnerabilities exist: See also OSS Notes:
2616247 – jQuery library vulnerability in SAPUI5
2941170 – Cross-Site Scripting (XSS) vulnerabilities in modified jQuery bundled with SAPUI5
Other security recommendations:
To keep the SCC safe, SAP Customers need a Vulnerability Management process. Protect4S offers an automated Vulnerability Management Solution that can execute thousands of security checks in complex and large SAP environments, present the findings in a clear manner and offer mitigation and remediation advice based on SAP’s own Best Practices.
Protect4S offers a free trial so you can experience how much easier SAP Platform Security becomes with Protect4S and how easy it is to start up and work with it.
Give us a try!