SAP Security Notes – August 2023 - Safe O'Clock

SAP Security Notes – August 2023

August 9, 2023

On the 8th of August 2023, SAP Security Patch Day saw the release of 15 new Security Notes.

There were 3 updates to previously released Security Notes.

 

Notes by severity

 

HotNews 2
Correction with high priority 8
Correction with medium priority 7
Correction with low priority 1

Highlights


On August Patch Day SAP presented 10 high-severity Notes, 2 of them were HotNews and 8 were rated as a correction with high priority.

SAP has maintained their pace from the July Patch day and brought a dozen Security Notes this month as well. Let us break down each of the most prioritized Notes one to another for you.

For the start we will talk about corrections for the SAP PowerDesigner Basis component. There are two significant patches for it this month. 
The first will be the Note 3341460 Multiple Vulnerabilities in SAP PowerDesigner – with a CVSS Score of 9.8. This SAP security advisory fixes multiple PowerDesigner Proxy vulnerabilities, containing Improper Access Control and Information Disclosure fixes in particular. You can find more details in CVE-2023-37483 and CVE-2023-37484 correspondingly.
The second Note is 3341599Code Injection vulnerability in SAP PowerDesigner – with a CVSS Score 7.8. SAP SQLA for PowerDesigner 17, included in SAP PowerDesigner 16.7 SP06 PL03, allows an attacker with local system access to install a malicious library that can be executed by the application. An attacker might thus manipulate the application’s behavior.

The next to describe is an update for the Note 3350297OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) – with a CVSS Score of 9.1. IS-OIL component in SAP ECC and SAP S/4HANA allows an authorized attacker to insert an arbitrary operating system command into an unprotected parameter in a common (default) extension due to a programming error in the function module and report. The attacker can read or manipulate system data and shut down the system if the exploit is successful.
This note has been re-released with updated ‘Symptom and Reason and Prerequisites’ information.

SAP Commerce Cloud has received a security patch in the Note 3346500Improper authentication in SAP Commerce Cloud – with a CVSS Score of 8.8. Certain SAP Commerce Cloud settings may accept an empty pass for user ID and pass authentication, allowing users to log in without a pass.

The Note 3331376Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON) – with a CVSS Score of 8.7 – received an update on this Patch day. An attacker with non-administrative privileges can overwrite system files by exploiting a directory traversal bug. Although data from confidential files cannot be read, some OS files may be overwritten, resulting in system compromise.
This note has been re-released with updated ‘Correction instruction’ information.

SAP Business One has received two major corrections:
The Note 3358300Cross-Site Scripting (XSS) vulnerability in SAP Business One – with a CVSS Score of 7.6 – presented the possibility that in SAP business, cross-site scripting (XSS) allows an attacker to insert harmful code into the content of a web page or application and have it transmitted to the client. This could result in detrimental activity that jeopardizes the application’s confidentiality, integrity, and availability.
The Note 3337797SQL Injection vulnerability in SAP Business One (B1i Layer) – with a CVSS Score of 7.1 – is telling that SAP Business One application’s B1i module allows an authenticated user with extensive knowledge to send designed queries over the network to read or alter SQL data. On successful exploitation, the attacker can have a modest impact on secrecy while having a substantial effect on the application’s integrity and availability.

Both SAP BusinessObjects Business Intelligence Suite and Platform received the correction with high priority:
First – Note 3317710Binary hijack in SAP BusinessObjects Business Intelligence Suite (installer) – with a CVSS Score of 7.6. An authenticated attacker through the network can overwrite an executable file created in a temporary directory during the installation process using SAP Business Objects Installers. An attacker can entirely compromise the system’s confidentiality, integrity, and availability by replacing this executable with a malicious file.
Second – Note 3312047Denial of Service (DoS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP BusinessObjects Business Intelligence Platform (CMC) – with a CVSS Score of 7.5. SAP BusinessObjects Business Intelligence Platform (CMC) is using a vulnerable version of commons-file upload which is vulnerable to Denial of Service due to CVE-2023-24998.

And last but not least,  Note 3344295 Improper Authorization check vulnerability in SAP Message Server – with a CVSS Score of 7.5. In certain circumstances, the SAP Message Server’s ACL (Access Control List) can be circumvented, allowing an authenticated malicious user to penetrate the network of SAP systems served by the targeted SAP Message server. This may result in illegal data reads and writes, as well as the system becoming unavailable.

 

Summary

 

SAP Component Number Description Priority CVSS CVSS Vector
BC-SYB-PD 3341460 [CVE-2023-37483] Multiple Vulnerabilities in SAP PowerDesigner HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
IS-OIL-DS-HPM 3350297 [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) HotNews 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CEC-SCC-PLA-PL 3346500 [CVE-2023-39439] Improper authentication in SAP Commerce Cloud high 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
BW-BCT-GEN 3331376 [CVE-2023-33989] Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON) high 8.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
BC-SYB-PD 3341599 [CVE-2023-36923] Code Injection vulnerability in SAP PowerDesigner high 8.7 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SBO-CRO-SEC 3358300 [CVE-2023-39437] Cross-Site Scripting (XSS) vulnerability in SAP Business One high 7.6 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
BI-BIP-INS 3317710 [CVE-2023-37490] Binary hijack in SAP BusinessObjects Business Intelligence Suite (installer) high 7.6 CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
BI-BIP-CMC 3312047 Denial of Service (DoS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP BusinessObjects Business Intelligence Platform (CMC) high 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
BC-CST-MS 3344295 [CVE-2023-37491] Improper Authorization check vulnerability in SAP Message Server high 7.5 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
SBO-CRO-SEC 3337797 [CVE-2023-33993] SQL Injection vulnerability in SAP Business One (B1i Layer) high 7.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
SRM-EBP-INT 2032723 Switchable authorization checks for RFC in SRM medium 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
BC-XI-IBF-WU 3350494 [CVE-2023-37488] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Process Integration medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CEC-SCC-COM-BC-OCC 3341934 [CVE-2023-37486] Information Disclosure vulnerability in SAP Commerce (OCC API) medium 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
SRM-EBP-ADM-XBP 2067220 [CVE-2023-39436] Information Disclosure in SAP Supplier Relationship Management medium 5.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
SBO-CRO-SEC 3333616 [CVE-2023-37487] Security Misconfiguration vulnerability in SAP Business One (Service Layer) medium 5.3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
BC-CCM-CNF-PFL 3348000 [CVE-2023-37492] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform medium 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
BI-RA-WBI 3312586 [CVE-2023-39440] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform medium 4.4 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
BC-CCM-HAG 3358328 [CVE-2023-36926] Information disclosure vulnerability in SAP Host Agent low 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – February 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes. There were […]

Read more
SAP Security Notes – January 2024

On the 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP Security Notes – December 2023

On the 12th of December 2023, SAP Security Patch Day saw the release of 15 new Security Notes. There were […]

Read more
SAP Security Notes – November 2023

On the 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK