A review, best practices and tips and tricks for this months’ SAP Security patches – Fixing SAP vulnerabilities.
A new month, a new SAP Security Patch Tuesday! The 2nd Tuesday in the month where SAP releases patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally, or by external researchers such as Protect4S’ own researchers. All trying to improve SAP’s product security and have SAP customers run their SAP systems more secure.
As always, customers should assess the list of released SAP Security notes and apply them where applicable according to their SAP Vulnerability Management process and procedures. This month, counting from the last Patch Tuesday, there are a total of 17 new and 1 updated SAP Security notes. 1 of these 18 notes in total has the highest HotNews rating (CVSS 9 or higher). See a summary below for the highest rated notes.
- Note 3358300 with a CVSS of 7,6 describes a Cross-Site Scripting (XSS) vulnerability in SAP Business One and can be fixed by applying the patch.
- There are 2 SAP Business Objects related notes with a CVSS score higher than 8.0:
- [CVE-2023-37490] Binary hijack in SAP BusinessObjects Business Intelligence Suite (installer)
- Denial of Service (DoS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP BusinessObjects Business Intelligence Platform (CMC)
- Both vulnerabilities are fixed by applying the patch.
- SAP note 3344295 deals with a rare situation where the Message Server ACL (Access Control List) can be bypassed, which may enable an authenticated malicious user to enter the network of the SAP systems served by the attacked SAP Message server. A manual workaround is available but best is to apply the kernel patch mentioned in the note.
- There are 2 SAP Powerdesigner (For Sybase) related notes with a CVSS score higher than 7.8:
- SAP note 3341599 ([CVE-2023-36923] Code Injection vulnerability in SAP PowerDesigner)
- SAP note 3341460 ([CVE-2023-37483] Multiple Vulnerabilities in SAP PowerDesigner
- The last note is a HotNews note and allows an unauthenticated attacker to run arbitrary queries against the back end database via Proxy. Fixing the above vulnerabilities might require additional manual activities.
- SAP note 3346500 ([CVE-2023-39439] Improper authentication in SAP Commerce Cloud) deals with a vulnerability where certain configurations of SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase. Simply apply the relevant patch to solve this.
At the moment of writing, there are no public exploits available to our knowledge for the above-mentioned notes. A breakdown by priority can be found below:
For organisations using SAP software it is important to have a process and procedures in place that ensures that every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below (These are new and updated notes released after last months’ patch Tuesday):
|SAP Security note #||Description||CVSS v3 Score||Priority|
|3156972||URL Redirection vulnerability in SAP S/4HANA (Managed Catalogue Item and Catalogue search)||3,5||low|
|2032723||Switchable authorization checks for RFC in SRM||6,3||medium|
|3312586||[CVE-2023-39440] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform||4,4||medium|
|3358300||[CVE-2023-39437] Cross-Site Scripting (XSS) vulnerability in SAP Business One||7,6||high|
|3317710||[CVE-2023-37490] Binary hijack in SAP BusinessObjects Business Intelligence Suite (installer)||7,6||high|
|3312047||Denial of Service (DoS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP BusinessObjects Business Intelligence Platform (CMC)||7,5||high|
|3348000||[CVE-2023-37492] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform||4,9||medium|
|3344295||[CVE-2023-37491] Improper Authorization check vulnerability in SAP Message Server||7,5||high|
|3341599||[CVE-2023-36923] Code Injection vulnerability in SAP PowerDesigner||7,8||high|
|3341460||[CVE-2023-37483] Multiple Vulnerabilities in SAP PowerDesigner||9,8||HotNews|
|3358328||[CVE-2023-36926] Information disclosure vulnerability in SAP Host Agent||3,7||low|
|3350494||[CVE-2023-37488] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Process Integration||6,1||medium|
|3333616||[CVE-2023-37487] Security Misconfiguration vulnerability in SAP Business One (Service Layer)||5,3||medium|
|3337797||[CVE-2023-33993] SQL Injection vulnerability in SAP Business One (B1i Layer)||7,1||high|
|3341934||[CVE-2023-37486] Information Disclosure vulnerability in SAP Commerce (OCC API)||5,9||medium|
|3149794||Cross-Site Scripting (XSS) vulnerabilities in jQuery-UI library bundled with SAPUI5||6,1||medium|
|2067220||[CVE-2023-39436] Information Disclosure in SAP Supplier Relationship Management||5,8||medium|
|3346500||[CVE-2023-39439] Improper authentication in SAP Commerce Cloud||8,8||high|