SAP Security Notes – December 2023 - Safe O'Clock

SAP Security Notes – December 2023

December 13, 2023

On the 12th of December 2023, SAP Security Patch Day saw the release of 15 new Security Notes.

There were 2 updates to previously released Security Notes.

 

Notes by severity

 

HotNews 4
Correction with high priority 4
Correction with medium priority 7
Correction with low priority 2

Highlights


On December Patch Day SAP presents 8 high-severity Notes, with 4 of them rated as HotNews.

 

SAP is ending the year with decent security notes number, so let’s dive right into the breakdown of the high-priority ones.

Starting with the usual though important 43rd update for Security Note 2622660Security updates for the browser control Google Chromium delivered with SAP Business Client – with a CVSS Score of 10.
This note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information.

Then comes the significant security update of SAP BTP covering multiple CVE’s with the Note 3411067Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries – with the CVSS Score of 9.1.
SAP BTP Security Services Integration Libraries and Programming Infrastructures that use these libraries described below allow for privilege escalation under specific scenarios. An unauthenticated attacker who successfully exploits the vulnerability can get arbitrary permissions within the application. This Note contains four CVE’s: CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, CVE-2023-50424 correspondingly to four code languages – Node.js, Java, Python and Golang. Make sure to get familiar with each CVE to acquire necessary mitigation recommendations.

SAP ECC and SAP S/4HANA security notes receives two updates this patch.


The first update will be note 3350297OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) – with a CVSS Score of 9.1.
IS-OIL component in SAP ECC and SAP S/4HANA allows an authorized attacker to insert an arbitrary operating system command into an unprotected parameter in a common (default) extension due to programming error in function module and report.  The attacker can read or manipulate system data and shut down the system if the exploit is successful.
The recommendations are simple, you should apply this note before the 3399691 note application.

 

The second is security note update 3399691 itself – OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) Update 1 – with a same CVSS Score of 9.1.
This note should be applied after note 3350297 and treated as an update for security note 3350297 to complete its solution. Researchers highlight that If you do not utilize IS-OIL SAP module  in your system, the corrections in this note will not be helpful to you.

SAP Commerce Cloud get a security patch in the face of the note 3394567Improper Access Control vulnerability in SAP Commerce Cloud – with a CVSS Score of 8.1.
Due to the lack of access controls in place, a locked B2B user in SAP Commerce Cloud can use the forgotten password functionality to unblock his user account and re-gain access if SAP Commerce Cloud – Composable Storefront is used as the storefront. This would have a significant impact on secrecy and integrity.

Note 3382353 will help with SAP BusinessObjects Business Intelligence Platform security – Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform – with a CVSS Score of 7.5.
The module is vulnerable to stored XSS, which allows an attacker to put agnostic documents into the system, which when examined by any other user could have a significant influence on the application’s integrity.

SAP GUI for WIndows receives a security patch with the note 3385711Information disclosure vulnerability in SAP GUI for WIndows and SAP GUI for Java – with a CVSS Score of 7.3.
Unauthenticated attackers can gain access to information that would otherwise be restricted and confidential using SAP GUI for Windows and SAP GUI for Java. Furthermore, this vulnerability allows an unauthenticated attacker to create Layout configurations of the ABAP List Viewer, resulting in a minor impact on integrity and availability, such as raising the AS ABAP response times.

The last highly-prioritized note to highlight will be note 3406244Missing Authorization Check in SAP EMARSYS SDK ANDROID – with a CVSS Score of 7.1.
Because the Emarsys SDK for Android lacks adequate authorization checks, an attacker with local access can call a specific activity and forward himself web pages and/or deep links without any validation directly from the host application. After a successful attack, an attacker might travel to arbitrary urls on the device, including application deep links. Depending on the application, there may be serious implications for secrecy and integrity.

This is the last Safe O’Clock Note Digest in 2023, so we would like this opportunity to wish you, on behalf of the SAfe O’Clock team, a Merry Christmas and a productive New Year.
See you next year. Stay safe!

Summary

 

SAP Component Number Description Priority CVSS CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-CP-CF-SEC-LIB 3411067 [Multiple CVEs] Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries HotNews 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
IS-OIL-DS-HPM 3399691 Update 1 to 3350297 - [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) HotNews 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
IS-OIL-DS-HPM 3350297 [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) HotNews 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CEC-COM-CPS 3394567 [CVE-2023-42481] Improper Access Control vulnerability in SAP Commerce Cloud high 8.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
BI-BIP-ADM 3382353 [CVE-2023-42478] Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform high 7.5 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L
BC-FES-GUI 3385711 [CVE-2023-49580] Information disclosure vulnerability in SAP GUI for WIndows and SAP GUI for Java high 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CEC-EMA 3406244 [CVE-2023-6542] Missing Authorization Check in SAP EMARSYS SDK ANDROID high 7.1 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
BI-RA-WBI-FE 3369353 [CVE-2023-42476] Cross Site Scripting vulnerability in SAP BusinessObjects Web Intelligence medium 6.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
SV-SMG-IMP 3395306 [CVE-2023-49587] Command Injection vulnerability in SAP Solution Manager medium 6.4 CVSS:/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
FIN-FSCM-BD 3383321 [CVE-2023-42479] Cross-Site Scripting (XSS) vulnerability in SAP Biller Direct medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
PY-IE 3217087 [CVE-2023-49577] Cross-Site Scripting (XSS) vulnerability in the SAP HCM (SMART PAYE solution) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CA-UI5-COR-FND 3159329 Denial of service (DoS) vulnerability in JSZip library bundled within SAPUI5 medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CA-FLP-ABA 3406786 [CVE-2023-49584] Client-Side Desynchronization vulnerability in SAP Fiori Launchpad medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
BC-CCM-MON-ORA 3392547 [CVE-2023-49581] SQL Injection vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform medium 4.1 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
CA-MDG-ML 3363690 [CVE-2023-49058] Directory Traversal vulnerability in SAP Master Data Governance low 3.5 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
BC-MID-SCC 3362463 [CVE-2023-49578] Denial of service (DOS) in SAP Cloud Connector low 3.5 CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – February 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes. There were […]

Read more
SAP Security Notes – January 2024

On the 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP Security Notes – December 2023

On the 12th of December 2023, SAP Security Patch Day saw the release of 15 new Security Notes. There were […]

Read more
SAP Security Notes – November 2023

On the 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK