SAP Security Notes – August 2023

On the 8th of August 2023, SAP Security Patch Day saw the release of 15 new Security Notes.

There were 3 updates to previously released Security Notes.

Notes by severity

Highlights

On August Patch Day SAP presented 10 high-severity Notes, 2 of them were HotNews and 8 were rated as a correction with high priority.

SAP has maintained their pace from the July Patch day and brought a dozen Security Notes this month as well. Let us break down each of the most prioritized Notes one to another for you.

For the start we will talk about corrections for the SAP PowerDesigner Basis component. There are two significant patches for it this month. 
The first will be the Note 3341460 – Multiple Vulnerabilities in SAP PowerDesigner – with a CVSS Score of 9.8. This SAP security advisory fixes multiple PowerDesigner Proxy vulnerabilities, containing Improper Access Control and Information Disclosure fixes in particular. You can find more details in CVE-2023-37483 and CVE-2023-37484 correspondingly.
The second Note is 3341599 – Code Injection vulnerability in SAP PowerDesigner – with a CVSS Score 7.8. SAP SQLA for PowerDesigner 17, included in SAP PowerDesigner 16.7 SP06 PL03, allows an attacker with local system access to install a malicious library that can be executed by the application. An attacker might thus manipulate the application’s behavior.

The next to describe is an update for the Note 3350297 – OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) – with a CVSS Score of 9.1. IS-OIL component in SAP ECC and SAP S/4HANA allows an authorized attacker to insert an arbitrary operating system command into an unprotected parameter in a common (default) extension due to a programming error in the function module and report. The attacker can read or manipulate system data and shut down the system if the exploit is successful.
This note has been re-released with updated ‘Symptom and Reason and Prerequisites’ information.

SAP Commerce Cloud has received a security patch in the Note 3346500 – Improper authentication in SAP Commerce Cloud – with a CVSS Score of 8.8. Certain SAP Commerce Cloud settings may accept an empty pass for user ID and pass authentication, allowing users to log in without a pass.

The Note 3331376 – Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON) – with a CVSS Score of 8.7 – received an update on this Patch day. An attacker with non-administrative privileges can overwrite system files by exploiting a directory traversal bug. Although data from confidential files cannot be read, some OS files may be overwritten, resulting in system compromise.
This note has been re-released with updated ‘Correction instruction’ information.

SAP Business One has received two major corrections:
The Note 3358300 – Cross-Site Scripting (XSS) vulnerability in SAP Business One – with a CVSS Score of 7.6 – presented the possibility that in SAP business, cross-site scripting (XSS) allows an attacker to insert harmful code into the content of a web page or application and have it transmitted to the client. This could result in detrimental activity that jeopardizes the application’s confidentiality, integrity, and availability.
The Note 3337797 – SQL Injection vulnerability in SAP Business One (B1i Layer) – with a CVSS Score of 7.1 – is telling that SAP Business One application’s B1i module allows an authenticated user with extensive knowledge to send designed queries over the network to read or alter SQL data. On successful exploitation, the attacker can have a modest impact on secrecy while having a substantial effect on the application’s integrity and availability.

Both SAP BusinessObjects Business Intelligence Suite and Platform received the correction with high priority:
First – Note 3317710 – Binary hijack in SAP BusinessObjects Business Intelligence Suite (installer) – with a CVSS Score of 7.6. An authenticated attacker through the network can overwrite an executable file created in a temporary directory during the installation process using SAP Business Objects Installers. An attacker can entirely compromise the system’s confidentiality, integrity, and availability by replacing this executable with a malicious file.
Second – Note 3312047 – Denial of Service (DoS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP BusinessObjects Business Intelligence Platform (CMC) – with a CVSS Score of 7.5. SAP BusinessObjects Business Intelligence Platform (CMC) is using a vulnerable version of commons-file upload which is vulnerable to Denial of Service due to CVE-2023-24998.

And last but not least,  Note 3344295 – Improper Authorization check vulnerability in SAP Message Server – with a CVSS Score of 7.5. In certain circumstances, the SAP Message Server’s ACL (Access Control List) can be circumvented, allowing an authenticated malicious user to penetrate the network of SAP systems served by the targeted SAP Message server. This may result in illegal data reads and writes, as well as the system becoming unavailable.

Summary