SAP Security Notes – July 2023 - Safe O'Clock

SAP Security Notes – July 2023

July 13, 2023

On the 11th of July 2023, SAP Security Patch Day saw the release of 16 new Security Notes.

There were 2 updates to previously released Security Notes.

 

Notes by severity

 

HotNews 2
Correction with high priority 7
Correction with medium priority 9
Correction with low priority 0

Highlights


On July Patch Day SAP presented 9 high-severity Notes, 2 of them were rated as HotNews and 7 were rated as a correction with high priority.

The list of Notes for today contains quite a few high-priority corrections, so let’s break down each of them one by one.

 

The Note with the highest CVSS Score is the usual Update pack for the browser control Google Chromium delivered with SAP Business Client 2622660 – with a CVSS Score of 10. The Note was re-released with updated ‘Solution’ information.

This Security Note addresses various vulnerabilities in the third-party web browser control of the latest Chromium Stable Release, which can be used within SAP Business Client.

 

The second one that we will discuss is the Note for SAP S/4HANA IS-OIL component – 3350297 –  OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) – with a CVSS Score of 9.1. 

IS-OIL component in SAP ECC and SAP S/4HANA allows an authorized attacker to insert an arbitrary operating system command into an unprotected parameter in a default extension due to a programming error in the function module and report. The attacker can read or manipulate system data and shut down the system if the exploit is successful.

 

SAP NetWeaver receives a security patch for the add-on of Business Intelligence Platform in a Note 3331376Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON) – with a CVSS Score of 8.7. 

An attacker with non-administrative privileges can overwrite system files by exploiting a directory traversal vulnerability. Although data from confidential files cannot be read, some OS files may be overwritten, resulting in system compromise.

 

SAP Web Dispatcher also got two notes for vulnerability mitigations:

 

Note 3233899Request smuggling and request concatenation vulnerability in SAP Web Dispatcher – with a CVSS Score of two ratings: 8.6 and 8.1 based on different CVSS Vectors described below:

The first scenario with an 8.6 rating: in SAP NetWeaver AS ABAP and SAP Web Dispatcher, an unauthenticated attacker can send a maliciously crafted request over a network to a front-end server, which can cause a back-end server to confuse the boundaries of malicious and legitimate messages, resulting in the execution of malicious payloads that can be used to make it temporarily unavailable, having a significant impact on availability.

The second scenario with an 8.1 rating: the scenario is pretty much the same except the maliciously crafted requests numbers are non-predictable and they can allow an attacker to read or modify information on the server or make it temporarily unavailable, adding a slight but significant chance to impact the confidentiality of a system.

Note 3340735Memory Corruption vulnerability in SAP Web Dispatcher – with a CVSS Score of 7.7 – describes the vulnerability that can be exploited by an unauthenticated attacker to cause memory corruption via logical errors in memory management. This can result in information disclosure or system crashes, which can have a low impact on confidentiality but a high impact on the system’s integrity and availability.

 

SAP UI5 receives an update for the Note 3324285 – Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management) – with a CVSS Score of 8.2. This June-released note has been re-released with updated ‘Solution’ information.

 

In SAP SQL Anywhere the Denial of service vulnerability was discovered: Note 3331029Denial of service (DOS) vulnerability in SAP SQL Anywhere – with a CVSS Score of 7.8. An attacker may prohibit genuine users from accessing the service by crashing it. With a low-privileged account and local system access an attacker can write into shared memory objects, which leads to Denial of Service. An attacker may also be able to change sensitive data in shared memory objects. This issue affects only SAP SQL Anywhere on Windows. Other platforms are unaffected.

 

Last but not least on this respectably long list – the Diagnostics agent of SAP Solution Manager got two security patches:

Note 3352058Unauthenticated blind SSRF in SAP Solution Manager (Diagnostics agent) – with a CVSS Score of 7.2. Unauthenticated attackers are permitted to execute HTTP requests blindly. The attacker can have a limited impact on the confidentiality and availability of the application and other applications that the Diagnostics Agent can contact if the exploit is successful.

 

Note 3348145Header Injection in SAP Solution Manager (Diagnostic Agent) – with the same CVSS Score of 7.2. An attacker is permitted to tamper with client request headers. This confuses SAP Diagnostics Agent, causing it to serve poisoned material to the server. The attacker can have a limited influence on the application’s confidentiality and availability if the exploit is successful.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
IS-OIL-DS-HPM 3350297 [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) HotNews 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
BW-BCT-GEN 3331376 [CVE-2023-33989] Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON) high 8.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
BC-CST-WDP 3233899 [CVE-2023-33987] Request smuggling and request concatenation vulnerability in SAP Web Dispatcher high 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CA-UI5-COR 3324285 [CVE-2023-33991] Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management) high 8.2 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
BC-SYB-SQA-SRV 3331029 [CVE-2023-33990] Denial of service (DOS) vulnerability in SAP SQL Anywhere high 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
BC-CST-WDP 3340735 [CVE-2023-35871] Memory Corruption vulnerability in SAP Web Dispatcher high 7.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
SV-SMG-DIA-SRV-AGT 3352058 [CVE-2023-36925] Unauthenticated blind SSRF in SAP Solution Manager (Diagnostics agent) high 7.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
SV-SMG-DIA-SRV-AGT 3348145 [CVE-2023-36921] Header Injection in SAP Solution Manager (Diagnostic Agent) high 7.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
BC-XI-IS-WKB 3343547 [CVE-2023-35873] Missing Authentication check in SAP NetWeaver Process Integration (Runtime Workbench) high 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
BC-XI-IS-WKB 3343564 [CVE-2023-35872] Missing Authentication check in SAP NetWeaver Process Integration (Message Display Tool) medium 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
FI-FIO-GL-TRA 3341211 [CVE-2023-35870] Improper Access Control in SAP S/4HANA (Manage Journal Entry Template) medium 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
KM-SEN-MGR 3326769 [Multiple CVEs] Multiple Vulnerabilities in SAP Enable Now medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-MID-RFC 3318850 [CVE-2023-35874] Improper authentication vulnerability in SAP NetWeaver AS ABAP and ABAP Platform medium 6.0 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
BI-BIP-SRV 3320702 [CVE-2023-36917] Password Change rate limit bypass in SAP BusinessObjects Business Intelligence Platform medium 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
IS-DFS-BIT-DIS 3351410 [CVE-2023-36924] Log Injection vulnerability in SAP ERP Defense Forces and Public Security medium 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
BW-BEX-OT-BICS-PROV 3088078 [CVE-2023-33992] Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA medium 4.5 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for February 2024

SAP strengthens AI growth areas  In recent years, artificial intelligence has rightfully begun to gain increasing popularity among developers – […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK