Security updates for the browser control Google Chromium delivered with SAP Business Client
The SAP Note 2622660 – ‘Security updates for the browser control Google Chromium delivered with SAP Business Client’ shows up in many SAP Security Patch Days.
It is classified as Very High (CVSS 10.0) as it lists all known vulnerabilities in the “Chromium for SAP Business Client 7.70”. The note is rated with the highest CVSS rating of all listed vulnerabilities.
This SAP Security Note may affect your installation of the “SAP Business Client 7.70” aka NWBC (NWBC770).
The additional package “Chromium for SAP Business Client 7.70” delivered with the “SAP Business Client 7.70” is based on the open source software chromium. Whenever chromium receives a security fix, all products based on a vulnerable version of chromium need to be rebuilt based on the fixed version.
Other examples for such proprietary software are the browsers Google Chrome or Microsoft Edge. In contrast to SAP Business Client 7.70, both examples come with their own Update Service which takes care about updating the software in a timely manner.
The additional package “Chromium for SAP Business Client 7.70” is selected by default and therefore will be most likely installed on all clients which are running “SAP Business Client 7.70”.
When does the NWBC770 use “Chromium for SAP Business Client 7.70”?
While the default browser-control for NWBC770 is still ‘Internet Explorer’ (leveraging the MSHTML engine which is still part of Windows), it can optionally be switched to ‘Chromium’ if the package “Chromium for SAP Business Client 7.70” is installed.
For this, the Primary Browser-Control has to be set to ‘Chromium’ in the NWBC settings either by the user or by the admin.
For the settings to be specified by the admin, the NwbcOptions.xml containing a section for ‘<DefaultBrowserControl>’ has to be rolled out. The configuration can be defined as recommended settings the user can change or as non-changeable setting.
Please note: As of the documentation (SAP Help Portal), it is not possible to enforce the chromium browser-control for specific URLs via the Dynamic Browser Control Selection File.
Even if the chromium browser control is not used, it has to be patched as otherwise vulnerable software will reside on the client.
Uninstall “Chromium for SAP Business Client 7.70”, if it is not used
If the chromium browser-control is not used, do not distribute the “Chromium for SAP Business Client 7.70” package. This means, de-select this additional component in the installer during installation time.
Hint #1: If the default setting for the browser-control was not changed, most likely “Internet Explorer” is used.
Hint #2: After “Chromium for SAP Business Client 7.70” is deinstalled, the default setting for the browser-control is “Internet Explorer”.
Hint #3: If the “Chromium for SAP Business Client 7.70” is not installed, also ‘Edge’ (more specific Edge WebView2) can be used as “SAP Business Client 7.70” has built-in support as of PL0. See below.
Uninstall “Chromium for SAP Business Client 7.70”, after switching to Edge WebView2
Microsoft announced that WebView2 will be automatically deployed as of Januar 2023 to all Windows 10 1809 and higher (https://blogs.windows.com/msedgedev/2022/12/14/delivering-microsoft-edge-webview2-runtime-to-managed-windows-10-devices/). It is rolled out in the so-called Evergreen Runtime distribution mode where the Microsoft Edge Update Service takes care about the updates of WebView2. Nevertheless, which WebView2 version is needed for which NWBC can be found in SAP Note 3054060.
When Edge WebView2 is installed on the relevant clients, in “SAP Business Client 7.70” the Primary Browser-Control can be switched to ‘Edge’ and the “Chromium for SAP Business Client 7.70” package can be uninstalled.
Update to SAP Business Client 8.00
SAP Business Client 8.00 does no longer support the chromium browser-control at all. Therefore, it is not affected by the chromium related vulnerabilities.
NWBC800 allows to use either InternetExplorer (more specific the MSHTML engine) or Edge (more specific Edge WebView2).
SAP note 3220574 lists all prerequisites for NWBC800. It is explicitly mentioned that “Older releases of SAP GUI for Windows can be used as well. Recent features and specific corrections might not be available then.”
Please note: SAP Business Client Versions can be installed in parallel. Therefore, SAP Business Client 7.70 has to be uninstalled.
Patch the “Chromium for SAP Business Client 7.70” package
Last, whenever the “Chromium for SAP Business Client 7.70” package can not be avoided for now, it has to be patched by applying the latest SAP Business Client 7.70 Patch Level containing the relevant fixes for chromium.