SAP Security Updates For The Browser Control Google Chromium

SAP Security
SAP Security

The SAP has released a SAP security update SAP security updates for Google Chromium via note 2622660.
This browser control Google Chromium delivered with SAP Business Client/NWBC

This security note addresses multiple vulnerabilities in the 3rd party web browser control Chromium, which can be used within SAP Business Client.

Note: This note is periodically modified based on web browser updates by open source project Chromium.

What Is Chromium (Web Browser)

Google sponsored a chromium project which is an open source free software.
The source code is basically used by many browsers like Google chrome, Microsoft Edge, Opera etc.(Source).
New chromium versions are released daily ,hence there is no such stable versions like traditional browsers.

Why Update Is Needed?

From SAP Business Client 6.5 PL5 and above cistomers can use the browser control Chromium for displaying HTML content within SAP Business Client.
Security corrections for this browser control are shipped with SAP business client patches as this full browser control is delivered and can be installed with SAP Business Client.

If we do not update the SAP business client release to the latest patch, displaying web pages via this open source browser will lead to different vulnerabilities like information disclosure, memory consumption etc.

Some of the impacts:

  • System information disclosure
  • system crash in worse case
  • Direct impact on  confidentiality, integrity and availability of a system.
  • information gathered can be used to craft further attacks, possibly with more severe consequences

CVSS Score

NameValue
Confidentiality Impact (C)High (H)
Integrity Impact (I)High (H)
Availability Impact (A)High (H)
Attack Complexity (AC)Low (L)
Attack Vector (AV)Network (N)
Privileges Required (PR)None (N)
User Interaction (UI)None (N)
Scope (S)Changed (C)
CVSS v3.0 Base Score: 10,0 / 10
CVSS v3.0 Base Vector:

Solution:

Every new SAP Business Client patch contains the most current stable major release of the Chromium browser control, which passed the SAP internal quality measurements of SAP Business Client.
Refer the updated SAP note 2622660 to find most recent SAP business client version/patch which has most stable chromium release.

Additionally, below chromium specific safeguard parameters are recommended by SAP to configure


More & updated details of these parameters can be found in the SAP Business Client administration guide.

ParameterDefault
<EnablePerMonitorDpi>True
<EnableFileExecutionAfterDownload>True
<EnableFileExecutionForExtensions>.sap
<ExposeWindowExternalInSameOriginSubFrames>False
<WinHttpProxyResolver>True
<CertificateErrorHandling>UserDecision
<ShowImages>True
<AllowImagesForUrls>
<EnableJavascript>True
<EnableJavascriptForUrls>
<TLSVersionMin>TLS1.1
<TLSVersionMax>TLS1.3
<DownloadPath>Empty
<AskForFileLocationBeforeDownload>False
<DisableGPU>False