May 2023
On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released.
There were 6 updates to previously released Security Notes.
Notes by severity
| HotNews | 2 |
| Correction with high priority | 9 |
| Correction with medium priority | 10 |
| Correction with low priority | 3 |
Highlights
On May Patch Day, SAP presented 11 high-severity Notes with 2 of them rated as HotNews and 9 rated as a correction with high priority.
The number of high priorities is quite decent, and we will focus on essentials to describe all the vital updates.
Note 3328495 is the first one that we will discuss today based on the severity score of this pack. Multiple vulnerabilities associated with Reprise License Manager 14.2 component were used with SAP 3D Visual Enterprise License Manager (VELM) – with a CVSS Score of 9.8. This Note presents the solution for various known VELM vulnerabilities, from session hijacking due to small session cookies digit length (CVE-2021-44151) to valid user enumeration described in CVE-2021-44155. Several web-interface-related vulnerabilities require an application of solution steps presented.
The next to describe is SAP BusinessObjects Business Intelligence Platform pack of recently released Notes and updates.
First, we will pay attention to Note 3307833 – Information disclosure vulnerabilities in SAP BusinessObjects Business Intelligence Platform – with a CVSS Score of 9.1. The login token of any logged-in BI user or server can be obtained over the network without user input by an authenticated attacker with administrator capabilities. the attacker can pretend to be any user, acquiring access and control over sensitive data as a result.
Then, here we have the Note 3213507 update – Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Monitoring DB) – with a CVSS Score of 8.2. In this update, SAP stated that the fix provided in a previous version of the note was incomplete. Referring to Note 3307833 described previously is suggested.
The last Note for SAP BOBJ is 3217303 Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC) with a CVSS Score of 7.7. The approach here is exactly the same as with Monitoring DB Note – 3307833. Complete mitigation is advised.
SAP AS NetWeaver JAVA received a patch in the Note 3317453 – Improper access control during application start-up in SAP AS NetWeaver JAVA – with a CVSS Score of 8.2. An unauthenticated attacker may exploit an open naming and directory API to create and attach objects which further could be called throug methods avoiding authorisation or authentication check. Without affecting availability, a future call to one of these methods can read or modify the state of already-provided services.
Microsoft Excel add-in (SAP IBP) receives a patch presented in the Note 3323415 – Privilege escalation vulnerability in SAP IBP, add-in for Microsoft Excel – with a CVSS Score of 8.2. An attacker may run code as the administrator as a result of privilege escalation, which could have a significant negative impact on the system’s confidentiality, integrity, and availability.
We have a couple of Notes for SAP Commerce as a high-priority corrections.
The first one is Note 3320145 – Denial of service (DOS) in SAP Commerce – with a CVSS Score of 7.5. As SAP Commerce uses XStream, an attacker can block authorized users from accessing a service by causing the program to crash due to a stack overflow error. This will have an effect on availability.
The second one is 3321309 – Information Disclosure vulnerability in SAP Commerce (Backoffice) – with a CVSS Score of 7.5. SAP Commerce Backoffice allows an attacker to access information via a crafted POST request that would otherwise be restricted under certain circumstances.
The remaining high-severity Notes for May Patch Day are the following.
Note 3300624 – Memory Corruption vulnerability in SAP PowerDesigner (Proxy) – with a CVSS Score of 7.5. An attacker can cause memory corruption by sending a specially designed request from a remote host to the proxy machine, which will cause the proxy server to crash.
Note 3320467 – Information Disclosure vulnerability in SAP GUI for Windows – with a CVSS Score of 7.5. Depending on the authorizations of the victim, the attacker can read and modify sensitive information with the help of the vital data acquired through clickjacking.
Note 3326210 – Improper Neutralization of Input in SAPUI5 – with a CVSS Score of 7.1. Untrusted CSS can be injected as SAPUI5‘s sap.m.FormattedText control failed to neutralize input with application unavailability as a result properly. Additionally, the vulnerability could allow an attacker to view or modify user information through phishing attacks due to the lack of URL validation by the program.
Summary
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| CA-VE | 3328495 | Multiple vulnerabilities associated with Reprise License Manager 14.2 component used with SAP 3D Visual Enterprise License Manager | HotNews |
9.8
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| BI-BIP-SRV | 3307833 | [CVE-2023-28762] Information disclosure vulnerabilities in SAP BusinessObjects Business Intelligence Platform | HotNews |
9.1
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| BC-JAS-EJB | 3317453 | [CVE-2023-30744] Improper access control during application start-up in SAP AS NetWeaver JAVA | high |
8.2
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N |
| SCM-IBP-XLS | 3323415 | [CVE-2023-29080] Privilege escalation vulnerability in SAP IBP, add-in for Microsoft Excel | high |
8.2
|
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
| BI-BIP-ADM | 3213507 | [CVE-2022-31596] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Monitoring DB) | high |
8.2
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L |
| BI-BIP-SRV | 3217303 | [CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC) | high |
7.7
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
| BC-SYB-PD | 3300624 | [CVE-2023-32111] Memory Corruption vulnerability in SAP PowerDesigner (Proxy) | high |
7.5
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CEC-COM-CPS-OTH | 3320145 | Denial of service (DOS) in SAP Commerce | high |
7.5
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| BC-FES-GUI | 3320467 | [CVE-2023-32113] Information Disclosure vulnerability in SAP GUI for Windows | high |
7.5
|
CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N |
| CEC-COM-CPS-OTH | 3321309 | Information Disclosure vulnerability in SAP Commerce (Backoffice) | high |
7.5
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CA-UI5-CTR-BAL | 3326210 | [CVE-2023-30743] Improper Neutralization of Input in SAPUI5 | high |
7.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L |
| BI-BIP-LCM | 3233226 | [CVE-2022-35296] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System) | medium |
6.8
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
| BI-BIP-INV | 3313484 | [CVE-2023-30740] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform | medium |
6.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| BI-BIP-INV | 3309935 | [CVE-2023-30741] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CA-WUI-UI-TAG | 3315971 | [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| BI-BIP-INV | 3319400 | [CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| BI-BIP-CMC | 3213524 | [CVE-2022-32244] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Commentary DB) | medium |
6.0
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L |
| EPM-BPC-NW-DOC | 3312892 | [CVE-2023-31407] Cross-Site Scripting (XSS) vulnerability in SAP Business Planning and Consolidation | medium |
5.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
| CA-WUI-CON | 3315979 | [CVE-2023-29188] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI | medium |
5.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
| BI-BIP-ADM | 3145769 | [CVE-2022-27667] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC) | medium |
5.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| BI-BIP-ADM | 3038911 | [CVE-2023-31404] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Service) | medium |
5.0
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
| BI-BIP-IDT | 3302595 | [CVE-2023-28764] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform | low |
3.7
|
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
| BC-SRV-AIF | 3117978 | [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service) | low |
3.1
|
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
| LO-MD-BP-VM | 2335198 | [CVE-2023-32112] Missing Authorization Check in Vendor Master Hierarchy | low |
2.8
|
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N |
