This week, SAP AG published a hot news item titled: “SAP Security Note 2067859 (Potential Exposure to Digital Signature Spoofing)”, which alerts users about a potential vulnerability in certain cryptographic libraries used in SAP NetWeaver Application Server ABAP and SAP HANA. By abusing these libraries, an attacker could potentially spoof (i.e., successfully masquerade as a legitimate user) Digital Signatures produced in vulnerable systems.
To ensure your SAP systems are not vulnerable, you should check that your crypto libraries versions are equal or higher than:
- SAPCRYPTOLIB version 5.555.38
- CommonCryptoLib version 8.4.30
SAPSECULIB has been deprecated, and must be replaced by the latest SAPCRYPTOLIB version.
Stack kernel 720 PL#700 already comes with the fixed CommonCryptoLib
Note: As stated in the SAP Security Note 2067859, you should replace the DSA PSEs on all the involved SAP NetWeaver Application Server ABAP and SAP HANA systems. Also, remember to replace the system public keys in their signature trusting systems as an additional security measure.