A review, best practices and tips and tricks for this months’ SAP Security patches – Fixing SAP vulnerabilities.
A new month, a new SAP Security Patch Tuesday! The 2nd Tuesday in the month where SAP releases their patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally, or by external researchers such as Protect4S’ own researchers. All trying to improve SAP’s product security and have SAP customers run their SAP systems more secure.
As always, customers should assess the list of released SAP Security notes and apply them where applicable according to their SAP Vulnerability Management process and procedures. This month, counting from the last Patch Tuesday, there are a total of 24 new and updated SAP Security notes. 5 of these have the highest HotNews rating (CVSS 9 or higher). See a summary below for the highest rated notes.
- SAP Business Client: Note 2622660 is a regularly returning SAP security note concerning Google Chromium and is relevant for customers that have deployed SAP Business Client. In this April 2023 update, patches concerned have a CVSS of 8,8 and should be assessed for installation. See also our previous blog about this particular note.
- SAP Diagnostics agent: Note 3305369 describes 2 Remote Code Execution (RCE) vulnerabilities with a CVSS score of 9 and 10. This concerns remote execution on the operating system of the connected diagnostics agents of a SAP Solution Manager system. CVE-2023-27497 is only relevant for MS Windows operating systems, CVE-2023-27267 for all operating system types.
- Exploitation can lead to complete compromise of confidentiality, integrity and availability of the system. It is imperative to apply the fixes supplied for this by SAP, there is no workaround. See FAQ note 3309989 for additional information.
- SAP NetWeaver AS Java: Note 3273480 is an existing note with a CVSS of 9,9 that has been released before in 2022. It is updated with additional patch information for 7.50 SP0026. Customers should confirm whether this patch applies to their landscape.
- SAP Business Objects: Note 3298961 describes potential loss of passwords from the so-called lcmbiar file by bypassing its encryption. Passwords of BI users can be retrieved from it and potentially lead to complete compromise of the system. It is therefore rated with CVSS 9,8. There is a patch available and otherwise a workaround is given in the note description to (partly) mitigate this risk.
- SAP ABAP platform: Note 3294595 with CVSS 9,6 has been updated with a better description of the workaround. If the vulnerability was already fixed with the patch, further actions are probably not necessary.
- SAP ABAP platform: Note 3305907 describes a so-called ‘Directory Traversal vulnerability’ and has a high CVSS rating of 8,7. The vulnerability described can lead to potential overwriting of system files and render the system unavailable as a result. Applying the note or the corresponding support package mitigates this risk.
At the moment of writing, there are no public exploits available to our knowledge for the above-mentioned notes. A total of 24 notes have been released this month: 20 new ones and 4 updates to older notes or additions to last month’s Patch Tuesday. A breakdown by priority can be found below:
For organisations using SAP software it is important to have a process and procedures in place that ensures that every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below (These are new and updated notes released after last months’ patch Tuesday):
|SAP Security note #||Description||CVSS v3 Score||Priority|
|2622660||Security updates for the browser control Google Chromium delivered with SAP Business Client||10||HotNews|
|3305369||[CVE-2023-27497] Multiple vulnerabilities in SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector)||10||HotNews|
|3273480||[CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search)||9,9||HotNews|
|3298961||[CVE-2023-28765] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management )||9,8||HotNews|
|3294595||[CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform||9,6||HotNews|
|3305907||[CVE-2023-29186] Directory Traversal vulnerability in SAP NetWeaver ( BI CONT ADD ON)||8,7||High|
|3312733||[CVE-2023-26458] Information Disclosure vulnerability in SAP Landscape Management||6,8||Medium|
|3311624||[CVE-2023-29187] DLL Hijacking vulnerability in SapSetup (Software Installation Program)||6,7||Medium|
|3289994||[CVE-2023-28761] Missing Authentication check in SAP NetWeaver Enterprise Portal||6,5||Medium|
|3296378||[CVE-2023-28763] – Denial of Service in SAP NetWeaver AS for ABAP and ABAP Platform||6,5||Medium|
|3290901||[CVE-2023-24528] Missing Authorization Check in SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests)||6,5||Medium|
|3275458||[CVE-2023-27499] Cross-Site Scripting (XSS) vulnerability in SAP GUI for HTML||6,1||Medium|
|3309056||[CVE-2023-27897] Code Injection vulnerability in SAP CRM||6||Medium|
|3269352||[CVE-2023-29189] HTTP Verb Tampering vulnerability in SAP CRM (WebClient UI)||5,4||Medium|
|3000663||[CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager||5,4||Medium|
|3303060||[CVE-2023-29185] Denial of Service (DOS) in SAP NetWeaver AS for ABAP (Business Server Pages)||5,3||Medium|
|3287784||[CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service||5,3||Medium|
|3315312||[CVE-2023-29108] IP filter vulnerability in ABAP Platform and SAP Web Dispatcher||5||Medium|
|3316509||Remote Code Execution vulnerability in SAP Commerce||4,7||Medium|
|3115598||[CVE-2023-29109] Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)||4,4||Medium|
|3301457||[CVE-2023-1903] Missing Authorization check in SAP HCM Fiori App My Forms (Fiori 2.0)||4,3||Medium|
|3113349||[CVE-2023-29110] Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)||3,7||Low|
|3114489||[CVE-2023-29112] Code Injection vulnerability in SAP Application Interface Framework (Message Monitoring)||3,7||Low|
|3117978||[CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service)||3,1||Low|