A review, best practices and tips and tricks for this months’ SAP Security patches – Fixing SAP vulnerabilities.
A new month, a new SAP Security Patch Tuesday! The 2nd Tuesday in the month where SAP releases their patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally, or by external researchers such as Protect4S’ own researchers. This month’s SAP Security note 3287291 contains a fix for a vulnerability reported by Protect4S research. All trying to improve SAP’s product security and have SAP customers run their SAP systems more secure.
As always, customers should assess the list of released SAP Security notes and apply them where applicable and conform their SAP Vulnerability Management process and procedures. This month, counting from the last Patch Tuesday, there are a total of 26 new and updated SAP Security notes. Just 1 of them has the highest HotNews rating. Some newly released SAP Security notes of attention (above CVSS 8) are:
- Customers using SAP Business Objects should address the note with number 3256787 – [CVE-2023-24530] Unrestricted Upload of File in SAP BusinessObjects Business Intelligence Platform (CMC)). This note has a CVSS score of 8,4/10 and could allow an authenticated admin user to upload malicious code that can be executed by the application over the network. Also pay attention to another SAP Business Objects High-risk note that was released: 3263135.
- A High-risk note has been released for the SAP ABAP stack with number 3285757 – [CVE-2023-24523] Privilege Escalation vulnerability in SAP Host Agent (Start Service. This vulnerability has a CVSS score of 8,8/10 and is a vulnerability where an attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent Service, can submit a specially crafted webservice request with an operating system command which will be executed with administrator privileges.
At the moment of writing there are no public exploits available to our knowledge for the above-mentioned notes. A total of 26 notes have been released this month: 21 new ones and 5 updates to older notes or additions to last month’s Patch Tuesday. A breakdown by priority can be found below:
For organisations using SAP software it is important to have a process and procedures in place that ensures that every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below (These are new and updated notes released after last months’ patch Tuesday):
| SAP Security note # | Description | CVSS v3 Score | Priority |
| 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | 10,0 | HotNews |
| 3271091 | [CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation | 8,5 | High |
| 3256787 | [CVE-2023-24530] Unrestricted Upload of File in SAP BusinessObjects Business Intelligence Platform (CMC) | 8,4 | High |
| 3285757 | [CVE-2023-24523] Privil. Esc vulnerability in SAP Host Agent (Start Service) | 8,8 | High |
| 3263135 | [CVE-2023-0020] Information disclosure vulnerability in SAP BusinessObjects Business Intelligence platform | 8,5 | High |
| 3268172 | [CVE-2022-41264] Code Injection vulnerability in SAP BASIS | 8,8 | High |
| 2788178 | [CVE-2023-24525] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI | 4,3 | Medium |
| 2985905 | [CVE-2023-24524] Missing Authorization check in SAP S/4 HANA Map Treasury Correspondence Format Data | 6,5 | Medium |
| 3275841 | [CVE-2023-23851] Unrestricted File Upload in SAP Business Planning and Consolidation | 5,4 | Medium |
| 3293786 | [CVE-2023-23858] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform | 6,1 | Medium |
| 3281724 | [CVE-2023-0019] Missing Authorization check in SAP GRC (Process Control) | 6,5 | Medium |
| 3290901 | [CVE-2023-24528] Missing Authorization Check in SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) | 6,5 | Medium |
| 3282663 | [CVE-2023-24529] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages application) | 6,1 | Medium |
| 3274585 | [CVE-2023-25614] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework) | 6,1 | Medium |
| 3269118 | [CVE-2023-24522] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework) | 6,1 | Medium |
| 3269151 | [CVE-2023-24521] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework) | 6,1 | Medium |
| 3271227 | [CVE-2023-23853] URL Redirection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform | 6,1 | Medium |
| 3268959 | [Multiple CVEs] Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform | 6,1 | Medium |
| 3266751 | [CVE-2023-23852] Cross-Site Scripting (XSS) vulnerability in SAP Solution Manager 7.2 | 6,1 | Medium |
| 3265846 | [CVE-2023-0024] Cross Site Scripting in SAP Solution Manager (BSP Application) | 6,5 | Medium |
| 3267442 | [CVE-2023-0025] Cross Site Scripting in SAP Solution Manager (BSP Application) | 6,5 | Medium |
| 3270509 | [CVE-2023-23855] URL Redirection vulnerability in SAP Solution Manager | 6,5 | Medium |
| 3263863 | [CVE-2023-23856] Cross-Site Scripting (XSS) vulnerability in Web Intelligence Interface | 4,3 | Medium |
| 3262544 | [CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service) | 6,1 | Medium |
| 3283283 | [CVE-2023-0013] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform | 6,1 | Medium |
| 3287291 | [CVE-2023-23854] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform | 3,8 | Low |
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn and our YouTube channel!
