On the 12th of December 2023, SAP Security Patch Day saw the release of 15 new Security Notes.
There were 2 updates to previously released Security Notes.
Notes by severity
| HotNews | 4 |
| Correction with high priority | 4 |
| Correction with medium priority | 7 |
| Correction with low priority | 2 |
Highlights
On December Patch Day SAP presents 8 high-severity Notes, with 4 of them rated as HotNews.
SAP is ending the year with decent security notes number, so let’s dive right into the breakdown of the high-priority ones.
Starting with the usual though important 43rd update for Security Note 2622660 – Security updates for the browser control Google Chromium delivered with SAP Business Client – with a CVSS Score of 10.
This note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information.
Then comes the significant security update of SAP BTP covering multiple CVE’s with the Note 3411067 – Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries – with the CVSS Score of 9.1.
SAP BTP Security Services Integration Libraries and Programming Infrastructures that use these libraries described below allow for privilege escalation under specific scenarios. An unauthenticated attacker who successfully exploits the vulnerability can get arbitrary permissions within the application. This Note contains four CVE’s: CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, CVE-2023-50424 correspondingly to four code languages – Node.js, Java, Python and Golang. Make sure to get familiar with each CVE to acquire necessary mitigation recommendations.
SAP ECC and SAP S/4HANA security notes receives two updates this patch.
The first update will be note 3350297 – OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) – with a CVSS Score of 9.1.
IS-OIL component in SAP ECC and SAP S/4HANA allows an authorized attacker to insert an arbitrary operating system command into an unprotected parameter in a common (default) extension due to programming error in function module and report. The attacker can read or manipulate system data and shut down the system if the exploit is successful.
The recommendations are simple, you should apply this note before the 3399691 note application.
The second is security note update 3399691 itself – OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) Update 1 – with a same CVSS Score of 9.1.
This note should be applied after note 3350297 and treated as an update for security note 3350297 to complete its solution. Researchers highlight that If you do not utilize IS-OIL SAP module in your system, the corrections in this note will not be helpful to you.
SAP Commerce Cloud get a security patch in the face of the note 3394567 – Improper Access Control vulnerability in SAP Commerce Cloud – with a CVSS Score of 8.1.
Due to the lack of access controls in place, a locked B2B user in SAP Commerce Cloud can use the forgotten password functionality to unblock his user account and re-gain access if SAP Commerce Cloud – Composable Storefront is used as the storefront. This would have a significant impact on secrecy and integrity.
Note 3382353 will help with SAP BusinessObjects Business Intelligence Platform security – Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform – with a CVSS Score of 7.5.
The module is vulnerable to stored XSS, which allows an attacker to put agnostic documents into the system, which when examined by any other user could have a significant influence on the application’s integrity.
SAP GUI for WIndows receives a security patch with the note 3385711 – Information disclosure vulnerability in SAP GUI for WIndows and SAP GUI for Java – with a CVSS Score of 7.3.
Unauthenticated attackers can gain access to information that would otherwise be restricted and confidential using SAP GUI for Windows and SAP GUI for Java. Furthermore, this vulnerability allows an unauthenticated attacker to create Layout configurations of the ABAP List Viewer, resulting in a minor impact on integrity and availability, such as raising the AS ABAP response times.
The last highly-prioritized note to highlight will be note 3406244 – Missing Authorization Check in SAP EMARSYS SDK ANDROID – with a CVSS Score of 7.1.
Because the Emarsys SDK for Android lacks adequate authorization checks, an attacker with local access can call a specific activity and forward himself web pages and/or deep links without any validation directly from the host application. After a successful attack, an attacker might travel to arbitrary urls on the device, including application deep links. Depending on the application, there may be serious implications for secrecy and integrity.
This is the last Safe O’Clock Note Digest in 2023, so we would like this opportunity to wish you, on behalf of the SAfe O’Clock team, a Merry Christmas and a productive New Year.
See you next year. Stay safe!
Summary
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | HotNews |
10.0
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| BC-CP-CF-SEC-LIB | 3411067 | [Multiple CVEs] Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries | HotNews |
9.1
|
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| IS-OIL-DS-HPM | 3399691 | Update 1 to 3350297 - [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) | HotNews |
9.1
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| IS-OIL-DS-HPM | 3350297 | [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) | HotNews |
9.1
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| CEC-COM-CPS | 3394567 | [CVE-2023-42481] Improper Access Control vulnerability in SAP Commerce Cloud | high |
8.1
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| BI-BIP-ADM | 3382353 | [CVE-2023-42478] Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform | high |
7.5
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L |
| BC-FES-GUI | 3385711 | [CVE-2023-49580] Information disclosure vulnerability in SAP GUI for WIndows and SAP GUI for Java | high |
7.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| CEC-EMA | 3406244 | [CVE-2023-6542] Missing Authorization Check in SAP EMARSYS SDK ANDROID | high |
7.1
|
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| BI-RA-WBI-FE | 3369353 | [CVE-2023-42476] Cross Site Scripting vulnerability in SAP BusinessObjects Web Intelligence | medium |
6.8
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N |
| SV-SMG-IMP | 3395306 | [CVE-2023-49587] Command Injection vulnerability in SAP Solution Manager | medium |
6.4
|
CVSS:/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
| FIN-FSCM-BD | 3383321 | [CVE-2023-42479] Cross-Site Scripting (XSS) vulnerability in SAP Biller Direct | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| PY-IE | 3217087 | [CVE-2023-49577] Cross-Site Scripting (XSS) vulnerability in the SAP HCM (SMART PAYE solution) | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CA-UI5-COR-FND | 3159329 | Denial of service (DoS) vulnerability in JSZip library bundled within SAPUI5 | medium |
5.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CA-FLP-ABA | 3406786 | [CVE-2023-49584] Client-Side Desynchronization vulnerability in SAP Fiori Launchpad | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| BC-CCM-MON-ORA | 3392547 | [CVE-2023-49581] SQL Injection vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform | medium |
4.1
|
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L |
| CA-MDG-ML | 3363690 | [CVE-2023-49058] Directory Traversal vulnerability in SAP Master Data Governance | low |
3.5
|
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N |
| BC-MID-SCC | 3362463 | [CVE-2023-49578] Denial of service (DOS) in SAP Cloud Connector | low |
3.5
|
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
