SAP Security Notes – October 2023

On the 10th of October 2023, SAP Security Patch Day saw the release of 6 new Security Notes.

There were 3 updates to previously released Security Notes.

Notes by severity

Highlights

On October Patch Day SAP presents only one high-severity HotNews Note.

The month has rather few new releases, nevertheless, we will tell you about the most significant security patches brought with medium severity notes.

Starting with a single Hotnews Note for this month comes the usual Google Chromium browser Security update – Note 2622660 – Security updates for the browser control Google Chromium delivered with SAP Business Client – with CVSS Score of 10. This note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information.

SAP NetWeaver AS for Java received two updates and one new security note with medium priorities.

The first in the list will be released Note 3333426 – Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application) – with a CVSS Score of 6.5. The SAP NetWeaver AS Java GRMG Heartbeat application allows an attacker to send a crafted request from a vulnerable web application, with limited impact on the application’s confidentiality and integrity.
The second is an update for Note 3371873 – Update 1 to Security Note 3324732: Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer) – with a CVSS Score of 5.3. The fix provided in the security note 3324732 was incomplete for the component ENGINEAPI 7.50.
Authentication with TOTPLoginModule fails despite the correct passcode being entered. As a result, the traces indicate the following exception with the login module: Due to a missing passcode, the second stage of authentication is being re-enacted. It is well-noted that both 3371873 and 3324732 Notes should be implemented.
The last NW AS Java note update is the Note 3324732 – Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer) – with a CVSS Score of 5.3. You can find the same recommendation here – it is necessary to implement Note 3371873.

SAP BusinessObjects Web Intelligence got a security patch with the Note 3372991 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence – with a CVSS Score of 6.8. SAP BusinessObjects Web Intelligence has a URL with a parameter that may be exposed to an XSS attack. The attacker might deliver a malicious link to a user, allowing the attacker to retrieve sensitive information.

Security Note 3357154 – Missing XML Validation vulnerability in SAP PowerDesigner Client (BPMN2 import) – Introduce the fix for SAP PowerDesigner Client with a CVSS Score of 6.5. SAP PowerDesigner Client does not appropriately check BPMN2 XML documents imported from an untrusted source. As a result, URLs of external entities in the BPMN2 file would be accessible during import, even if they were not used. A successful assault could have an impact on the availability of the SAP PowerDesigner Client.

Last but not least, Note 3219846 – Missing Authorization Check In S/4HANA (Manage Withholding Tax Items) – with a CVSS Score of 5.4. S/4HANA Manage Withholding Tax Items does not execute appropriate authorization checks for an authenticated user, resulting in privilege escalation without impacting the application’s confidentiality and integrity.

Summary