SAP Security Patch Day – September 2023

On September 12, 2023, SAP has once again released a crucial set of security patches to address a myriad of vulnerabilities across its product line. This month’s SAP Security Patch Day primarily focuses on rectifying Program errors. Below is a comprehensive rundown of the security notes, sorted by their Common Vulnerability Scoring System (CVSS) scores:

HotNews

• BI-BIP-CMC [CVE-2023-25616]: Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) with a CVSS score of 9.9. First released on 14.03.2023, updated on 12.09.2023.
• BI-BIP-LCM [CVE-2023-40622]: Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management) with a CVSS score of 9.9. Released on 12.09.2023.
• BC-IAM-SSO-CCL [CVE-2023-40309]: Missing Authorization check in SAP CommonCryptoLib with a CVSS score of 9.8. Released on 12.09.2023.
• BC-FES-BUS-DSK [CVE-2023-40624]: Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS score of 10.0. First released on 10.04.2018, updated on 12.09.2023.
• BC-XI-CON-UDS [CVE-2022-41272]: Improper access control in SAP NetWeaver AS Java (User Defined Search) with a CVSS score of 9.9. First released on 13.12.2022, updated on 12.09.2023.

High Priority

• BI-RA-WBI-FE [CVE-2023-42472]: Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) with a CVSS score of 8.7. Released on 12.09.2023.
• BC-CCM-HAG [CVE-2023-40308]: Memory Corruption vulnerability in SAP CommonCryptoLib with a CVSS score of 7.5. Released on 12.09.2023.

Medium Priority

• BC-SYB-PD [CVE-2023-40621]: Code Injection vulnerability in SAP PowerDesigner Client with a CVSS score of 6.3. Released on 12.09.2023.
• MM-FIO-PUR-SQ-CON [CVE-2023-40625]: Missing Authorization check in Manage Purchase Contracts App with a CVSS score of 5.4. Released on 12.09.2023.
• BC-GP [CVE-2023-41367]: Missing Authentication check in SAP NetWeaver (Guided Procedures) with a CVSS score of 5.3. Released on 12.09.2023.
• BI-BIP-LCM [CVE-2023-37489]: Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System) with a CVSS score of 5.3. Released on 12.09.2023.
• FS-QUO [CVE-2023-40308]: Denial of service (DOS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP Quotation Management Insurance (FS-QUO) with a CVSS score of 5.7. Released on 12.09.2023.
• BC-WD-UR [CVE-2023-40624]: Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering) with a CVSS score of 5.5. Released on 12.09.2023.
• BI-BIP-INS [CVE-2023-40623]: Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer) with a CVSS score of 6.2. Released on 12.09.2023.

Low Priority

• FI-FIO-AP-CHK [CVE-2023-41368]: Insecure Direct Object Reference (IDOR) vulnerability in SAP S/4HANA (Manage checkbook apps) with a CVSS score of 2.7. Released on 12.09.2023.
• FI-FIO-AP [CVE-2023-41369]: External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application) with a CVSS score of 3.5. Released on 12.09.2023.

Statistics:

Total new SAP notes: 16
Total vulnerabilities addressed: 16
Highest CVSS Score: 10.0 (HotNews) – Security updates for the browser control Google Chromium delivered with SAP Business Client – [CVE-2023-40624]

Description: This HotNews-rated note addresses security updates for the browser control Google Chromium delivered with SAP Business Client, with a critical CVSS score of 10.0.

Top 2 Critical Bugs:

1. BI-BIP-CMC [CVE-2023-25616]
   • CVSS Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
   • Description: This high-priority note resolves a Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) with a CVSS score of 9.9. As this vulnerability allows attackers to compromise system integrity and confidentiality, prompt action is advised to mitigate potential risks.
2. BC-XI-CON-UDS [CVE-2022-41272]
   • CVSS Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L)
   • Description: This high-priority note addresses an Improper access control in SAP NetWeaver AS Java (User Defined Search) with a CVSS score of 9.9. As this vulnerability allows unauthorized access, immediate patching is essential to protect the application and its users.