What is SAP CommonCryptoLib?

SAP CommonCryptoLib is a cryptographic library developed by SAP that provides encryption and digital signature functionalities for SAP systems, designed to replace the older SAP Cryptographic Library.

How can I deploy SAP CommonCryptoLib?

SAP CommonCryptoLib can be deployed either via the Java kernel or by downloading it from the SAP Support Portal.

Is migration from the old SAP Cryptographic Library necessary?

Yes, migration from the older Secure Login Library to CommonCryptoLib is recommended as it supports more features and enhancements.

What are the main features of CommonCryptoLib?

CommonCryptoLib supports FIPS 140-2 compliance, various encryption algorithms, and enhanced configuration options for managing PSE files and SSO credentials.

What encryption algorithms does CommonCryptoLib support?

CommonCryptoLib supports several encryption algorithms, including AES, RSA, and ECDSA, among others.

How do I check the version of CommonCryptoLib in an ABAP system?

You can check the version of CommonCryptoLib in an ABAP system by using specific ABAP commands or by consulting the system's documentation.

What is the role of CommonCryptoLib in SAP HANA?

CommonCryptoLib is used to enable encryption between SAP HANA Studio and the SAP HANA server, ensuring secure communication.

What are the supported SNC protocol versions in CommonCryptoLib?

CommonCryptoLib supports multiple SNC protocol versions, including 2010_1_0 and 2010_1_1.

Can CommonCryptoLib be used for TLS configurations?

Yes, CommonCryptoLib can be configured to support various TLS protocol versions and cipher suites for secure communications.

What are the advantages of using CommonCryptoLib over its predecessor?

CommonCryptoLib offers improved security features, better compliance with modern standards, and ongoing enhancements that are not available in the older SAP Cryptographic Library.

Critical SAP Vulnerability: CVE-2023-40309

Have you heard about the note numbered CVE-2023-40309 with a severity of 9.8, announced by SAP at the October security patch day?

According to this note, SAP CommonCryptoLib does not perform the required authentication checks, which may result in missing or incorrect authorization checks for an authenticated user, leading to an escalation of privileges. Depending on the application and the level of privileges obtained, an attacker can abuse functions restricted to a specific group of users and read, modify, or delete restricted data.

Affected Versions

Almost all ABAP and Java Kernels (including S/4HANA) are affected. Here is the list of affected kernels:

KERNEL 7.22
KERNEL 7.53
KERNEL 7.54
KERNEL 7.77
KERNEL 7.85
KERNEL 7.89
KERNEL 7.91
KERNEL 7.92
KERNEL 7.93
KERNEL 8.04
KERNEL64UC 7.22
KERNEL64UC 7.22EXT
KERNEL64UC 7.53
KERNEL64UC 8.04
KERNEL64NUC 7.22
KERNEL64NUC 7.22EXT

As you can see, the list is extensive.

Corrective Steps

A hotfix has been published for dw_utils.sar and it must be applied to your system to address this vulnerability.

Detection and Prevention

The critical question is, if an attacker was exploiting this vulnerability in your system, do you use a product that could detect the suspicious actions of this user?

Contact us to learn more and schedule a free demo of our product that detects security vulnerabilities in SAP systems. Ensure your systems are not only functional but also secure.

ALL BLOG POSTS

A collection of articles, tutorials, and news about DefenceMore, SAP and security.

Aug 21, 2024

Authorization Objects

Authorization Objects in SAP Systems

Explore the importance of authorization objects in SAP systems and understand the critical tables that play a key role in SAP security.

Aug 6, 2024

SAP GUI

Getting Files from Local PC via SAP GUI with Illegal Methods

Learn how to retrieve local files from a user's desktop using SAP GUI in SAP systems and understand the potential security risks involved.

May 12, 2024

SAP GUI

SAP GUI Versions From a Security Perspective

Understand the importance of keeping SAP GUI versions updated for security and how to plan upgrades effectively.

Apr 5, 2024

System Parameters

The Concept of Parameters in SAP Systems

Understand the different types of profile files and system parameters in SAP systems, and learn how DefenceMore's One Click Audit can help ensure their security.

Nov 21, 2023

Code Inspection

Are Your Systems Really Secure?

Discover the vulnerabilities in your SAP systems and learn about DefenceMore's One Click Audit for SAP Systems.