SAP Security Notes – October 2023 - Safe O'Clock

SAP Security Notes – October 2023

October 11, 2023

On the 10th of October 2023, SAP Security Patch Day saw the release of 6 new Security Notes.

There were 3 updates to previously released Security Notes.

 

Notes by severity

 

HotNews 1
Correction with high priority 0
Correction with medium priority 8
Correction with low priority 0

Highlights


On October Patch Day SAP presents only one high-severity HotNews Note.

 

The month has rather few new releases, nevertheless, we will tell you about the most significant security patches brought with medium severity notes.

 

Starting with a single Hotnews Note for this month comes the usual Google Chromium browser Security update – Note 2622660Security updates for the browser control Google Chromium delivered with SAP Business Client – with CVSS Score of 10. This note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information.

 

SAP NetWeaver AS for Java received two updates and one new security note with medium priorities.

The first in the list will be released Note 3333426 Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application) – with a CVSS Score of 6.5. The SAP NetWeaver AS Java GRMG Heartbeat application allows an attacker to send a crafted request from a vulnerable web application, with limited impact on the application’s confidentiality and integrity.
The second is an update for Note 3371873Update 1 to Security Note 3324732: Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer) – with a CVSS Score of 5.3. The fix provided in the security note 3324732 was incomplete for the component ENGINEAPI 7.50.
Authentication with TOTPLoginModule fails despite the correct passcode being entered. As a result, the traces indicate the following exception with the login module: Due to a missing passcode, the second stage of authentication is being re-enacted. It is well-noted that both 3371873 and 3324732 Notes should be implemented.
The last NW AS Java note update is the Note 3324732 – Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer) – with a CVSS Score of 5.3. You can find the same recommendation here – it is necessary to implement Note 3371873.

SAP BusinessObjects Web Intelligence got a security patch with the Note 3372991Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence – with a CVSS Score of 6.8. SAP BusinessObjects Web Intelligence has a URL with a parameter that may be exposed to an XSS attack. The attacker might deliver a malicious link to a user, allowing the attacker to retrieve sensitive information.

Security Note 3357154Missing XML Validation vulnerability in SAP PowerDesigner Client (BPMN2 import) – Introduce the fix for SAP PowerDesigner Client with a CVSS Score of 6.5. SAP PowerDesigner Client does not appropriately check BPMN2 XML documents imported from an untrusted source. As a result, URLs of external entities in the BPMN2 file would be accessible during import, even if they were not used. A successful assault could have an impact on the availability of the SAP PowerDesigner Client.

Last but not least, Note 3219846Missing Authorization Check In S/4HANA (Manage Withholding Tax Items) – with a CVSS Score of 5.4. S/4HANA Manage Withholding Tax Items does not execute appropriate authorization checks for an authenticated user, resulting in privilege escalation without impacting the application’s confidentiality and integrity.

 

Summary

 

SAP Component Number Description Priority CVSS CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BI-RA-WBI-FE 3372991 [CVE-2023-42474] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence medium 6.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
BC-SYB-PD 3357154 [CVE-2023-40310] Missing XML Validation vulnerability in SAP PowerDesigner Client (BPMN2 import) medium 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
BC-JAS-ADM-MON 3333426 [CVE-2023-42477] Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application) medium 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
FI-AP-AP-Q1 3219846 [CVE-2023-42473] Missing Authorization Check In S/4HANA (Manage Withholding Tax Items) medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
BC-JAS-SEC 3371873 Update 1 to Security Note 3324732: [CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer) medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
BC-JAS-SEC 3371873 Update 1 to Security Note 3324732: [CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer) medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
SBO-CRO-SEC 3338380 [CVE-2023-41365] Information Disclosure vulnerability in SAP Business One (B1i) medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
FI-LOC-SRF-RUN 3222121 [CVE-2023-42475] Information Disclosure Vulnerability in Statutory Reporting medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – May 2024

On the 14th of May 2024, SAP Security Patch Day saw the release of 14 new Security Notes. There were […]

Read more
SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK