A review, best practices and tips and tricks for this months’ SAP Security patches – Fixing SAP vulnerabilities.
A new month, a new SAP Security Patch Tuesday! The 2nd Tuesday in the month where SAP releases patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally, or by external researchers such as Protect4S’ own researchers. All trying to improve SAP’s product security and have SAP customers run their SAP systems more secure.
As always, customers should assess the list of released SAP Security notes and apply them where applicable according to their SAP Vulnerability Management process and procedures. This month, counting from the last Patch Tuesday, there are a total of 18 new and 7 updated SAP Security notes. 3 of these have the highest HotNews rating (CVSS 9 or higher), which is a lower number than previous months. See a summary below for the highest rated notes.
- SAP Business Client: Note 2622660 is a regularly returning SAP security note concerning Google Chromium and is relevant for customers that have deployed SAP Business Client. Also in this update of May 2023 there is a relevant update with patches concerned having a CVSS score of 9.8. Naturally, these should be assessed for installation. See also our previous blog about this particular note.
- SAP Reprise License Manager has web-interface related vulnerabilities when running version 14.2. This results in a CVSS score of 9.8, see note 3328495. The vulnerability can be fixed with an updated version of SAP 3D Visual Enterprise License Manager which allows installation without a web interface functionality. Note that there is a workaround to disable the web interface but applying the update is preferred.
- SAP Business Objects: Note 3307833 describes a vulnerability that can lead to impersonation of any user on the system and unavailability of the system as a whole. This vulnerability has a CVSS score of 9.1 and can only be fixed by applying the provided patches. This note servers also as an additional fix for earlier released security notes 3145769, 3213507, 3213524, 3233226 and 3217303. So make sure to implement note 3307833 to make sure all vulnerabilities have been fixed!
- SAP Commerce: 2 vulnerabilities have been identified with note 3320145 and 3321309 with a CVSS score of 7.5 impacting either the availability or confidentiality of the system. Determining required patches can be tricky, see the referred link for additional information about patch releases for SAP Commerce.
At the moment of writing, there are no public exploits available to our knowledge for the above-mentioned notes. A total of 25 notes have been released this month: 18 new ones and 7 updates to older notes or additions to last month’s Patch Tuesday. A breakdown by priority can be found below:
For organisations using SAP software it is important to have a process and procedures in place that ensures that every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below (These are new and updated notes released after last months’ patch Tuesday):
|SAP Security note #||Description||CVSS v3 Score||Priority|
|2622660||Security updates for the browser control Google Chromium delivered with SAP Business Client||10||HotNews|
|3328495||Multiple vulnerabilities associated with Reprise License Manager 14.2 component used with SAP 3D Visual Enterprise License Manager||9.8||HotNews|
|3307833||[CVE-2023-28762] Information disclosure vulnerabilities in SAP BusinessObjects Business Intelligence Platform||9.1||HotNews|
|3213507||[CVE-2022-31596] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Monitoring DB)||8.2||High|
|3317453||[CVE-2023-30744] Improper access control during application start-up in SAP AS NetWeaver JAVA||8.2||High|
|3323415||[CVE-2023-29080] Privilege escalation vulnerability in SAP IBP, add-in for Microsoft Excel||8.2||High|
|3217303||[CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC)||7.7||High|
|3320467||[CVE-2023-32113] Information Disclosure vulnerability in SAP GUI for Windows||7.5||High|
|3320145||Denial of service (DOS) in SAP Commerce||7.5||High|
|3300624||[CVE-2023-32111] Memory Corruption vulnerability in SAP PowerDesigner (Proxy)||7.5||High|
|3321309||Information Disclosure vulnerability in SAP Commerce (Backoffice)||7.5||High|
|3326210||[CVE-2023-30743] Improper Neutralization of Input in SAPUI5||7.1||High|
|3233226||[CVE-2022-35296] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System)||6.8||Medium|
|3313484||[CVE-2023-30740] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform||6.3||Medium|
|3309935||[CVE-2023-30741] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform||6.1||Medium|
|3315971||[CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)||6.1||Medium|
|3319400||[CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform||6.1||Medium|
|3213524||[CVE-2022-32244] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Commentary DB)||6||Medium|
|3315979||[CVE-2023-29188] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI||5.4||Medium|
|3312892||[CVE-2023-31407] Cross-Site Scripting (XSS) vulnerability in SAP Business Planning and Consolidation||5.4||Medium|
|3145769||[CVE-2022-27667] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC)||5.3||Medium|
|3038911||[CVE-2023-31404] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Service)||5||Medium|
|3302595||[CVE-2023-28764] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform||3.7||Low|
|3117978||[CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service)||3.1||Low|
|2335198||[CVE-2023-32112] Missing Authorization Check in Vendor Master Hierarchy||2.8||Low|