SAP Security Notes - May 2023 - Safe O'Clock

SAP Security Notes – May 2023

May 9, 2023

May 2023

On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released.

There were 6 updates to previously released Security Notes.

 

Notes by severity

 

HotNews 2
Correction with high priority 9
Correction with medium priority 10
Correction with low priority 3

Highlights


On May Patch Day, SAP presented 11 high-severity Notes with 2 of them rated as HotNews and 9 rated as a correction with high priority.

The  number of high priorities is quite decent, and we will focus on essentials to describe all the vital updates.

Note 3328495 is the first one that we will discuss today based on the severity score of this pack. Multiple vulnerabilities associated with Reprise License Manager 14.2 component were used with SAP 3D Visual Enterprise License Manager (VELM) – with a CVSS Score of 9.8. This Note presents the solution for various known VELM vulnerabilities, from session hijacking due to small session cookies digit length (CVE-2021-44151) to valid user enumeration described in CVE-2021-44155. Several web-interface-related vulnerabilities require an application of solution steps presented.

The next to describe is SAP BusinessObjects Business Intelligence Platform pack of recently released Notes and updates.
First, we will pay attention to Note 3307833Information disclosure vulnerabilities in SAP BusinessObjects Business Intelligence Platform – with a CVSS Score of 9.1. The login token of any logged-in BI user or server can be obtained over the network without user input by an authenticated attacker with administrator capabilities. the attacker can pretend to be any user, acquiring access and control over sensitive data as a result.

Then, here we have the Note 3213507 update – Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Monitoring DB) – with a CVSS Score of 8.2. In this update, SAP stated that the fix provided in a previous version of the note was incomplete. Referring to Note 3307833 described previously is suggested.

The last Note for SAP BOBJ is 3217303 Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC) with a CVSS Score of 7.7. The approach here is exactly the same as with Monitoring DB Note – 3307833. Complete mitigation is advised.

SAP AS NetWeaver JAVA received a patch in the Note 3317453 Improper access control during application start-up in SAP AS NetWeaver JAVA – with a CVSS Score of 8.2. An unauthenticated attacker may exploit an open naming and directory API to create and attach objects which further could be called throug methods avoiding authorisation or authentication check. Without affecting availability, a future call to one of these methods can read or modify the state of already-provided services.

Microsoft Excel add-in (SAP IBP) receives a patch presented in the Note 3323415Privilege escalation vulnerability in SAP IBP, add-in for Microsoft Excel – with a CVSS Score of 8.2. An attacker may run code as the administrator as a result of privilege escalation, which could have a significant negative impact on the system’s confidentiality, integrity, and availability.

We have a couple of Notes for SAP Commerce as a high-priority corrections.
The first one is Note 3320145Denial of service (DOS) in SAP Commerce – with a CVSS Score of 7.5. As SAP Commerce uses XStream, an attacker can block authorized users from accessing a service by causing the program to crash due to a stack overflow error. This will have an effect on availability.
The second one is 3321309 Information Disclosure vulnerability in SAP Commerce (Backoffice) – with a CVSS Score of 7.5. SAP Commerce Backoffice allows an attacker to access information via a crafted POST request that would otherwise be restricted under certain circumstances.

The remaining high-severity Notes for May Patch Day are the following.

Note 3300624Memory Corruption vulnerability in SAP PowerDesigner (Proxy) – with a CVSS Score of 7.5. An attacker can cause memory corruption by sending a specially designed request from a remote host to the proxy machine, which will cause the proxy server to crash.
Note 3320467Information Disclosure vulnerability in SAP GUI for Windows – with a CVSS Score of 7.5. Depending on the authorizations of the victim, the attacker can read and modify sensitive information with the help of the vital data acquired through clickjacking.
Note 3326210Improper Neutralization of Input in SAPUI5 – with a CVSS Score of 7.1. Untrusted CSS can be injected as SAPUI5‘s sap.m.FormattedText control failed to neutralize input with application unavailability as a result properly. Additionally, the vulnerability could allow an attacker to view or modify user information through phishing attacks due to the lack of URL validation by the program.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
CA-VE 3328495 Multiple vulnerabilities associated with Reprise License Manager 14.2 component used with SAP 3D Visual Enterprise License Manager HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
BI-BIP-SRV 3307833 [CVE-2023-28762] Information disclosure vulnerabilities in SAP BusinessObjects Business Intelligence Platform HotNews 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
BC-JAS-EJB 3317453 [CVE-2023-30744] Improper access control during application start-up in SAP AS NetWeaver JAVA high 8.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
SCM-IBP-XLS 3323415 [CVE-2023-29080] Privilege escalation vulnerability in SAP IBP, add-in for Microsoft Excel high 8.2 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
BI-BIP-ADM 3213507 [CVE-2022-31596] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Monitoring DB) high 8.2 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L
BI-BIP-SRV 3217303 [CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC) high 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
BC-SYB-PD 3300624 [CVE-2023-32111] Memory Corruption vulnerability in SAP PowerDesigner (Proxy) high 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CEC-COM-CPS-OTH 3320145 Denial of service (DOS) in SAP Commerce high 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
BC-FES-GUI 3320467 [CVE-2023-32113] Information Disclosure vulnerability in SAP GUI for Windows high 7.5 CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
CEC-COM-CPS-OTH 3321309 Information Disclosure vulnerability in SAP Commerce (Backoffice) high 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CA-UI5-CTR-BAL 3326210 [CVE-2023-30743] Improper Neutralization of Input in SAPUI5 high 7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
BI-BIP-LCM 3233226 [CVE-2022-35296] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System) medium 6.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
BI-BIP-INV 3313484 [CVE-2023-30740] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform medium 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
BI-BIP-INV 3309935 [CVE-2023-30741] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CA-WUI-UI-TAG 3315971 [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BI-BIP-INV 3319400 [CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BI-BIP-CMC 3213524 [CVE-2022-32244] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Commentary DB) medium 6.0 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
EPM-BPC-NW-DOC 3312892 [CVE-2023-31407] Cross-Site Scripting (XSS) vulnerability in SAP Business Planning and Consolidation medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CA-WUI-CON 3315979 [CVE-2023-29188] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
BI-BIP-ADM 3145769 [CVE-2022-27667] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC) medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
BI-BIP-ADM 3038911 [CVE-2023-31404] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Service) medium 5.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
BI-BIP-IDT 3302595 [CVE-2023-28764] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform low 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
BC-SRV-AIF 3117978 [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service) low 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
LO-MD-BP-VM 2335198 [CVE-2023-32112] Missing Authorization Check in Vendor Master Hierarchy low 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for February 2024

SAP strengthens AI growth areas  In recent years, artificial intelligence has rightfully begun to gain increasing popularity among developers – […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK