SAP Security Notes - April 2023 - Safe O'Clock

SAP Security Notes – April 2023

April 27, 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes.

There were 5 updates to previously released Security Notes.

Notes by severity

HotNews 5
Correction with high priority 1
Correction with medium priority 15
Correction with low priority 3

Highlights

On April Patch Day SAP presents 6 high-severity Notes with 5 of them rated as HotNews and one rated as a correction with high priority.

We will describe the corrections with the highest priority as a digest for today.

 

Starting with the usual Security updates for the browser control Google Chromium delivered with SAP Business Client presented in the Note 2622660 with a CVSS Score of 10.


Next to highlight are high-severity Notes dedicated to SAP NetWeaver, both ABAP and Java.

 

Note 3273480 has been re-released with updated ‘Support Packages & Patches’ information – Improper access control in SAP NetWeaver AS Java (User Defined Search), with a CVSS Score of 9.9. It describes the possibility for an attacker to have full read access for user data, along with compromising availability and integrity of the application. In order to access services that can be used to carry out unauthorised operations affecting users and data throughout the entire system, an unauthenticated attacker can attach to an open interface exposed by JNDI by the User Defined Search (UDS) of SAP NetWeaver AS Java over the network. 

The second Note 3294595 to highlight is another update, it was re-released with updated ‘Solution’ information – Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform, with a CVSS Score of 9.6. An attacker with non-administrative rights on SAP NetWeaver Application Server for ABAP and ABAP Platform is able to exploit a directory traversal vulnerability in available service to overwrite the system files. No data can be read during a such attack, but possibly crucial OS files can be rewritten, rendering the system unavailable.

The last high-priority Note covering SAP NetWeaver vulnerabilities is 3305907Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON), with a CVSS Score of 8.7. A report’s Directory Traversal vulnerability can be used by an attacker to upload and alter files on the SAP system. Data cannot be read, but if a remote attacker has enough administrative rights, they may be able to overwrite potentially crucial OS files, rendering the system unavailable. A corresponding Support Package application is necessary to mitigate the issue.

Now we will talk about SAP Diagnostics Agent Note with the set of fixes: 3305369Multiple vulnerabilities in SAP Diagnostics Agent (OSCommand Bridge and EventLog ServiceCollector), with the highest CVSS Score of 10. The descriptions for vulnerabilities are presented by categories:

Unauthenticated RCE in EventLogServiceCollecto (ELSC): The ELSC gives an attacker the ability to run malicious scripts on all connected Diagnostics Agents since it lacks authentication and input sanitization. If the attack is successful, the attacker has total access to the system’s confidentiality, integrity, and availability. CVSS Score for corresponding CVE-2023-27497 is 10.

Unauthenticated RCE in OSCommand Bridge: The OSCommand Bridge’s lack of authentication and insufficient input validation allows an attacker with in-depth knowledge of the system to run malicious scripts on all associated Diagnostics Agents running on all supported Operating Systems. If the attack is effective, the system’s confidentiality, integrity, and availability will be compromised. CVSS Score for corresponding CVE-2023-27267 is 9.

 

The last to mention is Note 3298961 that covers the SAP BusinessObjects Business Intelligence Platform vulnerabilities – Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management), with a CVSS Score of 9.8. Anyone with minimal user privileges can access the lcmbiar file and further decrypt it. Depending on the BI user’s privileges and the attacker’s ability to get user credentials, the intruder may be able to take actions that will completely compromise the application.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
SV-SMG-DIA-SRV-AGT 3305369 [CVE-2023-27497] Multiple vulnerabilities in SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector) HotNews 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-XI-CON-UDS 3273480 [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search) HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
BI-BIP-LCM 3298961 [CVE-2023-28765] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management ) HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
BC-CCM-PRN 3294595 [CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform HotNews 9.6 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
BW-BCT-GEN 3305907 [CVE-2023-29186] Directory Traversal vulnerability in SAP NetWeaver ( BI CONT ADD ON) high 8.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
BC-VCM-LVM 3312733 [CVE-2023-26458] Information Disclosure vulnerability in SAP Landscape Management medium 6.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
BC-FES-INS 3311624 [CVE-2023-29187] DLL Hijacking vulnerability in SapSetup (Software Installation Program) medium 6.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
EP-PIN-PRT 3289994 [CVE-2023-28761] Missing Authentication check in SAP NetWeaver Enterprise Portal medium 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
FI-TV-ODT-MTR 3290901 [CVE-2023-24528] Missing Authorization Check in SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
BC-MID-AC 3296378 [CVE-2023-28763] - Denial of Service in SAP NetWeaver AS for ABAP and ABAP Platform medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
BC-FES-WGU 3275458 [CVE-2023-27499] Cross-Site Scripting (XSS) vulnerability in SAP GUI for HTML medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CRM-BF 3309056 [CVE-2023-27897] Code Injection vulnerability in SAP CRM medium 6.0 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
CA-WUI-UI 3269352 [CVE-2023-29189] HTTP Verb Tampering vulnerability in SAP CRM (WebClient UI) medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
BC-CST-WDP 3000663 [CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
BC-JAS-DPL 3287784 [CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
BC-BSP 3303060 [CVE-2023-29185] Denial of Service (DOS) in SAP NetWeaver AS for ABAP (Business Server Pages) medium 5.3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
BC-CST-IC 3315312 [CVE-2023-29108] IP filter vulnerability in ABAP Platform and SAP Web Dispatcher medium 5.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CEC-COM-CPS-COR 3316509 Remote Code Execution vulnerability in SAP Commerce medium 4.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
BC-SRV-AIF 3115598 [CVE-2023-29109] Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard) medium 4.4 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
PA-FIO-FO 3301457 [CVE-2023-1903] Missing Authorization check in SAP HCM Fiori App My Forms (Fiori 2.0) medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
BC-SRV-AIF 3113349 [CVE-2023-29110] Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard) low 3.7 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
BC-SRV-AIF 3114489 [CVE-2023-29112] Code Injection vulnerability in SAP Application Interface Framework (Message Monitoring) low 3.7 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
BC-SRV-AIF 3117978 [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service) low 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for February 2024

SAP strengthens AI growth areas  In recent years, artificial intelligence has rightfully begun to gain increasing popularity among developers – […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK