On the 11th of July 2023, SAP Security Patch Day saw the release of 16 new Security Notes.
There were 2 updates to previously released Security Notes.
Notes by severity
| HotNews | 2 |
| Correction with high priority | 7 |
| Correction with medium priority | 9 |
| Correction with low priority | 0 |
Highlights
On July Patch Day SAP presented 9 high-severity Notes, 2 of them were rated as HotNews and 7 were rated as a correction with high priority.
The list of Notes for today contains quite a few high-priority corrections, so let’s break down each of them one by one.
The Note with the highest CVSS Score is the usual Update pack for the browser control Google Chromium delivered with SAP Business Client – 2622660 – with a CVSS Score of 10. The Note was re-released with updated ‘Solution’ information.
This Security Note addresses various vulnerabilities in the third-party web browser control of the latest Chromium Stable Release, which can be used within SAP Business Client.
The second one that we will discuss is the Note for SAP S/4HANA IS-OIL component – 3350297 – OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) – with a CVSS Score of 9.1.
IS-OIL component in SAP ECC and SAP S/4HANA allows an authorized attacker to insert an arbitrary operating system command into an unprotected parameter in a default extension due to a programming error in the function module and report. The attacker can read or manipulate system data and shut down the system if the exploit is successful.
SAP NetWeaver receives a security patch for the add-on of Business Intelligence Platform in a Note 3331376 – Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON) – with a CVSS Score of 8.7.
An attacker with non-administrative privileges can overwrite system files by exploiting a directory traversal vulnerability. Although data from confidential files cannot be read, some OS files may be overwritten, resulting in system compromise.
SAP Web Dispatcher also got two notes for vulnerability mitigations:
Note 3233899 – Request smuggling and request concatenation vulnerability in SAP Web Dispatcher – with a CVSS Score of two ratings: 8.6 and 8.1 based on different CVSS Vectors described below:
The first scenario with an 8.6 rating: in SAP NetWeaver AS ABAP and SAP Web Dispatcher, an unauthenticated attacker can send a maliciously crafted request over a network to a front-end server, which can cause a back-end server to confuse the boundaries of malicious and legitimate messages, resulting in the execution of malicious payloads that can be used to make it temporarily unavailable, having a significant impact on availability.
The second scenario with an 8.1 rating: the scenario is pretty much the same except the maliciously crafted requests numbers are non-predictable and they can allow an attacker to read or modify information on the server or make it temporarily unavailable, adding a slight but significant chance to impact the confidentiality of a system.
Note 3340735 – Memory Corruption vulnerability in SAP Web Dispatcher – with a CVSS Score of 7.7 – describes the vulnerability that can be exploited by an unauthenticated attacker to cause memory corruption via logical errors in memory management. This can result in information disclosure or system crashes, which can have a low impact on confidentiality but a high impact on the system’s integrity and availability.
SAP UI5 receives an update for the Note 3324285 – Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management) – with a CVSS Score of 8.2. This June-released note has been re-released with updated ‘Solution’ information.
In SAP SQL Anywhere the Denial of service vulnerability was discovered: Note 3331029 – Denial of service (DOS) vulnerability in SAP SQL Anywhere – with a CVSS Score of 7.8. An attacker may prohibit genuine users from accessing the service by crashing it. With a low-privileged account and local system access an attacker can write into shared memory objects, which leads to Denial of Service. An attacker may also be able to change sensitive data in shared memory objects. This issue affects only SAP SQL Anywhere on Windows. Other platforms are unaffected.
Last but not least on this respectably long list – the Diagnostics agent of SAP Solution Manager got two security patches:
Note 3352058 – Unauthenticated blind SSRF in SAP Solution Manager (Diagnostics agent) – with a CVSS Score of 7.2. Unauthenticated attackers are permitted to execute HTTP requests blindly. The attacker can have a limited impact on the confidentiality and availability of the application and other applications that the Diagnostics Agent can contact if the exploit is successful.
Note 3348145 – Header Injection in SAP Solution Manager (Diagnostic Agent) – with the same CVSS Score of 7.2. An attacker is permitted to tamper with client request headers. This confuses SAP Diagnostics Agent, causing it to serve poisoned material to the server. The attacker can have a limited influence on the application’s confidentiality and availability if the exploit is successful.
Summary
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | HotNews |
10.0
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| IS-OIL-DS-HPM | 3350297 | [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) | HotNews |
9.1
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| BW-BCT-GEN | 3331376 | [CVE-2023-33989] Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON) | high |
8.7
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H |
| BC-CST-WDP | 3233899 | [CVE-2023-33987] Request smuggling and request concatenation vulnerability in SAP Web Dispatcher | high |
8.6
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |
| CA-UI5-COR | 3324285 | [CVE-2023-33991] Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management) | high |
8.2
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L |
| BC-SYB-SQA-SRV | 3331029 | [CVE-2023-33990] Denial of service (DOS) vulnerability in SAP SQL Anywhere | high |
7.8
|
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| BC-CST-WDP | 3340735 | [CVE-2023-35871] Memory Corruption vulnerability in SAP Web Dispatcher | high |
7.7
|
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H |
| SV-SMG-DIA-SRV-AGT | 3352058 | [CVE-2023-36925] Unauthenticated blind SSRF in SAP Solution Manager (Diagnostics agent) | high |
7.2
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L |
| SV-SMG-DIA-SRV-AGT | 3348145 | [CVE-2023-36921] Header Injection in SAP Solution Manager (Diagnostic Agent) | high |
7.2
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L |
| BC-XI-IS-WKB | 3343547 | [CVE-2023-35873] Missing Authentication check in SAP NetWeaver Process Integration (Runtime Workbench) | high |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L |
| BC-XI-IS-WKB | 3343564 | [CVE-2023-35872] Missing Authentication check in SAP NetWeaver Process Integration (Message Display Tool) | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L |
| FI-FIO-GL-TRA | 3341211 | [CVE-2023-35870] Improper Access Control in SAP S/4HANA (Manage Journal Entry Template) | medium |
6.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| KM-SEN-MGR | 3326769 | [Multiple CVEs] Multiple Vulnerabilities in SAP Enable Now | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| BC-MID-RFC | 3318850 | [CVE-2023-35874] Improper authentication vulnerability in SAP NetWeaver AS ABAP and ABAP Platform | medium |
6.0
|
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L |
| BI-BIP-SRV | 3320702 | [CVE-2023-36917] Password Change rate limit bypass in SAP BusinessObjects Business Intelligence Platform | medium |
5.9
|
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
| IS-DFS-BIT-DIS | 3351410 | [CVE-2023-36924] Log Injection vulnerability in SAP ERP Defense Forces and Public Security | medium |
4.9
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |
| BW-BEX-OT-BICS-PROV | 3088078 | [CVE-2023-33992] Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA | medium |
4.5
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N |
