Easily overlooked in the patching process

When it comes to security patching of an SAP system, there are a lot of components involved. There are the obvious candidates like individual security notes, kernel executables, as well as patches on operating system and database level. In our experience though, there is a part that is easily overlooked in the patching process and deserves additional attention: the SAPUI5 library. In this blog we will address a few points worth mentioning, taking the perspective of an SAP technology team responsible for patching on-premise SAP systems.
The framework – security relevance
SAPUI5 is a user interface framework, based on JavaScript that SAP introduced in 2010 for building more modern responsive user interfaces. Something SAP was not always particularly known for… With SAP Fiori driving its adoption and after a lot of further development, SAPUI5 is currently the go-to framework for building user interfaces in the SAP domain. For a nice historical overview of OpenUI5 and SAPUI5, see the following blog here.
With its pivotal role in user experience, the SAPUI5 library is of course also important from a security perspective. Security notes concerning SAPUI5 are regularly released, one recent example (October 2022) is high priority note 3249990 with an CVSS score of 7.5. Initially this note was even released with a ‘very high’ priority and a score of 9.8 but this was later lowered after further investigation. However, it still demonstrates the impact on security the framework may have.
Version of ‘the’ library
When it comes to patching the SAPUI5 library, first thing to realize is that there actually is no such thing as ‘the’ SAPUI5 library, despite it is often described like that. It actually consists of several underlying libraries, covering several different functions. A useful introduction to this can be found here.
Then there is the versions of SAPUI5. This is notated in the following 3-digit schema: <major version>.<minor version>.<patch level>. As of yet, there is only 1 major version which is ‘1’, so in practice, it is only the minor version and patch level to be concerned with. To find out what versions are installed, there are several ways to find that out, see SAP note 2282103 as a starting point.
For an SAP ABAP based system, the installed versions as well as the underlying libraries can be easily found by going to the SAPUI5 Library information page: http://<host>:<port>/sap/public/bc/ui5_ui5. Like the (incomplete) example below:

Starting points for patching
In the shown example, the overall version is 1.71.38. To upgrade the minor version, this can only be done by importing support packages of the corresponding SAP_UI component. To apply a patch, the procedure is quite different and requires running report /UI5/UI5_UPLOAD_PATCH_TO_MIME. SAP note 3155948 describes this procedure and also gives information about what minor version is included in SAP_UI support packages. To delete obsolete versions, consider to do this manually via transaction SE80, MIME repository, see SAP note 2713475. Only after making sure there is no reference to these versions of course.
For an SAP Java based system, there is no separate procedure to apply a patch, this always requires on update of the SAPUI5 CLIENT RT component. See SAP note 2426484 as a starting point and note 2673298 for information about what minor version is included in the SAPUI5 CLIENT RT packages. Also note that on an SAP Java based system, several minor versions will exist in the system. If required, refer to different than default versions by following SAP note 2541677.
In this blog we simply wanted to point out the importance of the SAPUI5 library in terms of security and point to some useful references to start for patching SAP systems. There are numerous other sources with information on (sub)topics concerning SAPUI5, we stick with naming only 2 additional sources specifically, the UI5 Demo Kit page and a nice overview page from sap-press.com.
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!
Try out our Protect4S Vulnerability Management solution for 1 month for free or request a demo!