SAP Security Notes – November 2023

On the 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes.

There were 3 updates to previously released Security Notes.

Notes by severity

Highlights

On November Patch Day SAP presents 2 high-severity HotNews Notes.

There are quite a few Notes released and updated so we will highlight and break down both HotNews and main Medium priority Notes released alike.

We will start with 3340576 Note critical update from October patch day – Missing Authorization check in SAP CommonCryptoLib – with a CVSS Score of 9.8.
SAP CommonCryptoLib fails to conduct required authentication checks, which may result in missing or incorrect permission checks for an authenticated user, resulting in privilege escalation. Depending on the program and the amount of access obtained, an attacker could read, edit, or delete restricted data as well as exploit capabilities restricted to a certain user group.

The Note was re-released with updated ‘Solution’ information.

Then we have the second HotNews Security Note 3355658 released – Improper Access Control vulnerability in SAP Business One product installation – with a CVSS Score of 9.6.
The installation of SAP Business One does not execute sufficient authentication and authorization checks for SMB shared folders. As a result, any malicious user has access to this folder. Furthermore, the files in the folder can be executed or used by the installation process, which has a significant influence on confidentiality, integrity, and availability.
This Note covers the vulnerability of SAP Business One version 10. Every user utilizing this recent major update should pay close attention to this correction based on the high severity of the Note.

The next Medium priority Note to describe will be 3333426 – Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application) – with a CVSS Score of 6.5.
The SAP NetWeaver AS Java GRMG Heartbeat application allows an attacker to send a forged request from a vulnerable web application, with limited impact on the application’s confidentiality and integrity.
This note has been re-released with updated ‘Support Packages & Patches’ information with the fix provided in the packages SP024 and SP025, as well as designed to support NetWeaver AS Java version 7.50.

The last to highlight will be Note 2494184 for Sybase products – Cross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products – with a CVSS Score of 6.3.
An attacker could utilize the SAP Sybase Cockpit, SAP Control Center (SCC), SQL Anywhere Monitor, and SQL Anywhere On Demand Edition Cloud Console management tools to deceive an authenticated user into sending an unwanted request to the web server. This vulnerability is caused by a lack of CSRF protection.
This note has been re-released with updated ‘Reason and Prerequisites’ and ‘Solution’ information. Users of Sybase Products like SAP SQL Anywhere or SAP IQ just like other Sybase products mentioned should utilize the updated solution presented.

Summary