SAP Security Notes – January 2024

On the 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes.

There were 2 updates to previously released Security Notes.

Notes by severity

Highlights

On January Patch Day SAP presents 7 high-severity Notes, with 3 of them rated as HotNews.

Let us start with patch for SAP Business Application Studio & SAP IDE – Note 3412456 – Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA – with a CVSS Score of 9.1.

Applications written in Node.js using the aforementioned development platforms and intended for deployment to the SAP BTP or Cloud Foundry environment may be susceptible to CVE-2023-49583 under specific circumstances.

SAP Edge Integration Cell received a patch with the Note 3413475 – Escalation of Privileges in SAP Edge Integration Cell – with a CVSS Score of 9.1.
Due to CVE-2023-49583 and CVE-2023-50422, the SAP Edge Integration Cell permits privilege escalation under specific circumstances. This cell is dependent on SAP BTP Security Services Integration Libraries and Programming Infrastructures. An unauthenticated attacker can get arbitrary permissions within the program upon successful exploitation.

The next Note to highlight will be the update for the Note 3411067 – Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries – with a CVSS Score of 9.1.
Specialized programming infrastructures and integration libraries for SAP BTP Security Services permit the escalation of rights under specific circumstances. An unauthenticated attacker can get arbitrary permissions within the program upon successful exploitation.
This note has been re-released with enhancements in the ‘Symptom’, ‘Reason and Prerequisites’ and ‘Solution’ sections.

That was it for HotNews notes, we will bring the description of high-severity ones next.

SAP Application Interface Framework received the Note 3411869 – Code Injection vulnerability in SAP Application Interface Framework (File Adapter) – with a CVSS Score of 8.4.
A high-privilege user in SAP Application Interface Framework File Adapter can directly execute OS commands and navigate through many layers via a function module. This gives the user control over how the application behaves. This has a significant effect on availability, integrity, and confidentiality.

Another high-severity note to describe will be Note 3389917 – Denial of service (DOS) in SAP Web Dispatcher, SAP NetWeaver Application server ABAP, and ABAP Platform – with a CVSS Score of 7.5.
A denial-of-service (DoS) attack can be launched across a network by an unauthorized user using SAP Web Dispatcher, SAP NetWeaver Application Server ABAP, and ABAP Platform by sending out a large number of HTTP/2 requests and then canceling them. This action could result in memory flooding and have a significant impact on the application’s availability. The integrity and confidentiality of the application are unaffected.

SAP GUI, connector for Microsoft Edge specifically, gets the patch with the Note 3386378 – Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) – with the CVSS Score of 7.4.
A highly sensitive piece of information that would normally be prohibited and have a significant impact on confidentiality can be accessed by an attacker under specific circumstances thanks to the Microsoft Edge browser SAP GUI connection extension.

The last Note to describe will be 3407617 – Improper Authorization check in SAP LT Replication Server – with a CVSS Score of 7.3.
The required authorization checks are not carried out by SAP LT Replication Server. This might give a highly-privileged attacker the opportunity to carry out inadvertent acts that escalate their privileges, which would seriously jeopardize the system’s availability, confidentiality, and integrity.

Summary