On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes.
There were 5 updates to previously released Security Notes.
Notes by severity
| HotNews | 5 |
| Correction with high priority | 1 |
| Correction with medium priority | 15 |
| Correction with low priority | 3 |
Highlights
On April Patch Day SAP presents 6 high-severity Notes with 5 of them rated as HotNews and one rated as a correction with high priority.
We will describe the corrections with the highest priority as a digest for today.
Starting with the usual Security updates for the browser control Google Chromium delivered with SAP Business Client presented in the Note 2622660 with a CVSS Score of 10.
Next to highlight are high-severity Notes dedicated to SAP NetWeaver, both ABAP and Java.
Note 3273480 has been re-released with updated ‘Support Packages & Patches’ information – Improper access control in SAP NetWeaver AS Java (User Defined Search), with a CVSS Score of 9.9. It describes the possibility for an attacker to have full read access for user data, along with compromising availability and integrity of the application. In order to access services that can be used to carry out unauthorised operations affecting users and data throughout the entire system, an unauthenticated attacker can attach to an open interface exposed by JNDI by the User Defined Search (UDS) of SAP NetWeaver AS Java over the network.
The second Note 3294595 to highlight is another update, it was re-released with updated ‘Solution’ information – Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform, with a CVSS Score of 9.6. An attacker with non-administrative rights on SAP NetWeaver Application Server for ABAP and ABAP Platform is able to exploit a directory traversal vulnerability in available service to overwrite the system files. No data can be read during a such attack, but possibly crucial OS files can be rewritten, rendering the system unavailable.
The last high-priority Note covering SAP NetWeaver vulnerabilities is 3305907 – Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON), with a CVSS Score of 8.7. A report’s Directory Traversal vulnerability can be used by an attacker to upload and alter files on the SAP system. Data cannot be read, but if a remote attacker has enough administrative rights, they may be able to overwrite potentially crucial OS files, rendering the system unavailable. A corresponding Support Package application is necessary to mitigate the issue.
Now we will talk about SAP Diagnostics Agent Note with the set of fixes: 3305369 – Multiple vulnerabilities in SAP Diagnostics Agent (OSCommand Bridge and EventLog ServiceCollector), with the highest CVSS Score of 10. The descriptions for vulnerabilities are presented by categories:
Unauthenticated RCE in EventLogServiceCollecto (ELSC): The ELSC gives an attacker the ability to run malicious scripts on all connected Diagnostics Agents since it lacks authentication and input sanitization. If the attack is successful, the attacker has total access to the system’s confidentiality, integrity, and availability. CVSS Score for corresponding CVE-2023-27497 is 10.
Unauthenticated RCE in OSCommand Bridge: The OSCommand Bridge’s lack of authentication and insufficient input validation allows an attacker with in-depth knowledge of the system to run malicious scripts on all associated Diagnostics Agents running on all supported Operating Systems. If the attack is effective, the system’s confidentiality, integrity, and availability will be compromised. CVSS Score for corresponding CVE-2023-27267 is 9.
The last to mention is Note 3298961 that covers the SAP BusinessObjects Business Intelligence Platform vulnerabilities – Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management), with a CVSS Score of 9.8. Anyone with minimal user privileges can access the lcmbiar file and further decrypt it. Depending on the BI user’s privileges and the attacker’s ability to get user credentials, the intruder may be able to take actions that will completely compromise the application.
Summary
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| SV-SMG-DIA-SRV-AGT | 3305369 | [CVE-2023-27497] Multiple vulnerabilities in SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector) | HotNews |
10.0
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | HotNews |
10.0
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| BC-XI-CON-UDS | 3273480 | [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search) | HotNews |
9.9
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L |
| BI-BIP-LCM | 3298961 | [CVE-2023-28765] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management ) | HotNews |
9.8
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| BC-CCM-PRN | 3294595 | [CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform | HotNews |
9.6
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H |
| BW-BCT-GEN | 3305907 | [CVE-2023-29186] Directory Traversal vulnerability in SAP NetWeaver ( BI CONT ADD ON) | high |
8.7
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H |
| BC-VCM-LVM | 3312733 | [CVE-2023-26458] Information Disclosure vulnerability in SAP Landscape Management | medium |
6.8
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
| BC-FES-INS | 3311624 | [CVE-2023-29187] DLL Hijacking vulnerability in SapSetup (Software Installation Program) | medium |
6.7
|
CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
| EP-PIN-PRT | 3289994 | [CVE-2023-28761] Missing Authentication check in SAP NetWeaver Enterprise Portal | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| FI-TV-ODT-MTR | 3290901 | [CVE-2023-24528] Missing Authorization Check in SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| BC-MID-AC | 3296378 | [CVE-2023-28763] - Denial of Service in SAP NetWeaver AS for ABAP and ABAP Platform | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| BC-FES-WGU | 3275458 | [CVE-2023-27499] Cross-Site Scripting (XSS) vulnerability in SAP GUI for HTML | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CRM-BF | 3309056 | [CVE-2023-27897] Code Injection vulnerability in SAP CRM | medium |
6.0
|
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L |
| CA-WUI-UI | 3269352 | [CVE-2023-29189] HTTP Verb Tampering vulnerability in SAP CRM (WebClient UI) | medium |
5.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
| BC-CST-WDP | 3000663 | [CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager | medium |
5.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
| BC-JAS-DPL | 3287784 | [CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service | medium |
5.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| BC-BSP | 3303060 | [CVE-2023-29185] Denial of Service (DOS) in SAP NetWeaver AS for ABAP (Business Server Pages) | medium |
5.3
|
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
| BC-CST-IC | 3315312 | [CVE-2023-29108] IP filter vulnerability in ABAP Platform and SAP Web Dispatcher | medium |
5.0
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
| CEC-COM-CPS-COR | 3316509 | Remote Code Execution vulnerability in SAP Commerce | medium |
4.7
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
| BC-SRV-AIF | 3115598 | [CVE-2023-29109] Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard) | medium |
4.4
|
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N |
| PA-FIO-FO | 3301457 | [CVE-2023-1903] Missing Authorization check in SAP HCM Fiori App My Forms (Fiori 2.0) | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| BC-SRV-AIF | 3113349 | [CVE-2023-29110] Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard) | low |
3.7
|
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N |
| BC-SRV-AIF | 3114489 | [CVE-2023-29112] Code Injection vulnerability in SAP Application Interface Framework (Message Monitoring) | low |
3.7
|
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N |
| BC-SRV-AIF | 3117978 | [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service) | low |
3.1
|
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
