A review, best practices and tips and tricks for this months’ SAP Security patches – Fixing SAP vulnerabilities.
A new month, a new SAP Security Patch Tuesday! The 2nd Tuesday in the month where SAP releases patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally, or by external researchers such as Protect4S’ own researchers. All trying to improve SAP’s product security and have SAP customers run their SAP systems more secure.
As always, customers should assess the list of released SAP Security notes and apply them where applicable according to their SAP Vulnerability Management process and procedures. This month, counting from the last Patch Tuesday, there are a total of 16 new and 2 updated SAP Security notes. 2 of these have the highest HotNews rating (CVSS 9 or higher). See a summary below for the highest rated notes.
- SAP Business Client: Note 2622660 is a regularly returning SAP security note concerning Google Chromium and is relevant for customers that have deployed SAP Business Client. In this update of July 2023 there is a relevant update with patches concerned having a CVSS score of 9.6. It is stated by Google that exploits exist for the mentioned vulnerabilities so do consider these patches carefully! See also our previous blog about this particular note.
- IS-OIL: Note 3350297 describes an OS command injection vulnerability that can give extensive control to an attacker for this industry solution. CVSS is 9.1. Note there is no workaround available and that patching may require manual steps. See FAQ note 3349318 for more information.
- SAP NetWeaver – BI CONT: Note 3331376 describes a Directory Traversal vulnerability with CVSS 8.7. Simply apply the relevant correction instruction or support package to solve this.
- SAP Web Dispatcher / ICM: Note 3233899 and 3340735 both describe vulnerabilities (CVSS 8.7 and 7.7) that are relevant for a wide array of configurations. That is: stand-alone web dispatcher installations as well as integrated setups in the ASCS, SAP HANA and the ICM of an SAP NetWeaver ABAP stack. A workaround is possible by disabling protocol HTTP/2 because only this version is affected. Review the dependencies carefully and apply the updates for a secure configuration!
- SAP Diagnostics Agent: Note 3352058 and 3348145 both describe vulnerabilities with a CVSS score of 7.2. Patches are available, note that this requires patching of the LM_SERVICE component of the related SAP Solution Manager system.
At the moment of writing, there are no further public exploits available to our knowledge for the above-mentioned notes. A breakdown by priority can be found below:
For organisations using SAP software it is important to have a process and procedures in place that ensures that every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below (These are new and updated notes released after last months’ patch Tuesday):
| SAP Security note # | Description | CVSS v3 Score | Priority |
| 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | 10 | HotNews |
| 3350297 | [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) | 9.1 | HotNews |
| 3331376 | [CVE-2023-33989] Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON) | 8.7 | High |
| 3233899 | [CVE-2023-33987] Request smuggling and request concatenation vulnerability in SAP Web Dispatcher | 8.6 | High |
| 3324285 | [CVE-2023-33991] Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management) | 8.2 | High |
| 3331029 | [CVE-2023-33990] Denial of service (DOS) vulnerability in SAP SQL Anywhere | 7.8 | High |
| 3340735 | [CVE-2023-35871] Memory Corruption vulnerability in SAP Web Dispatcher | 7.7 | High |
| 3352058 | [CVE-2023-36925] Unauthenticated blind SSRF in SAP Solution Manager (Diagnostics agent) | 7.2 | High |
| 3348145 | [CVE-2023-36921] Header Injection in SAP Solution Manager (Diagnostic Agent) | 7.2 | High |
| 3343564 | [CVE-2023-35872] Missing Authentication check in SAP NetWeaver Process Integration (Message Display Tool) | 6.5 | Medium |
| 3343547 | [CVE-2023-35873] Missing Authentication check in SAP NetWeaver Process Integration (Runtime Workbench) | 6.5 | Medium |
| 3341211 | [CVE-2023-35870] Improper Access Control in SAP S/4HANA (Manage Journal Entry Template) | 6.3 | Medium |
| 3326769 | [Multiple CVEs] Multiple Vulnerabilities in SAP Enable Now | 6.1 | Medium |
| 3318850 | [CVE-2023-35874] Improper authentication vulnerability in SAP NetWeaver AS ABAP and ABAP Platform | 6 | Medium |
| 3320702 | [CVE-2023-36917] Password Change rate limit bypass in SAP BusinessObjects Business Intelligence Platform | 5.9 | Medium |
| 3324732 | [CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer) | 5.3 | Medium |
| 3351410 | [CVE-2023-36924] Log Injection vulnerability in SAP ERP Defense Forces and Public Security | 4.9 | Medium |
| 3088078 | [CVE-2023-33992] Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA | 4.5 | Medium |
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn and our YouTube channel!
