Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security Patch Day – December 2023

On December 12, 2023, SAP once again demonstrated its commitment to cybersecurity by releasing a crucial set of security patches. These patches are designed to fix various vulnerabilities identified across various SAP products. The focus of this month’s SAP Security Patch Day is primarily on fixing program errors that have the potential to pose security risks. We have provided a detailed overview of the security notes released below, organized according to their severity as determined by the Common Vulnerability Scoring System (CVSS) scores:

Vulnerability IDCVE NumberDescriptionCVSS ScoreRelease DateUpdate Date
BI-BIP-CMCCVE-2023-25616Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC)9.914.03.202312.09.2023
BI-BIP-LCMCVE-2023-40622Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management)9.912.09.2023
BC-IAM-SSO-CCLCVE-2023-40309Missing Authorization check in SAP CommonCryptoLib9.812.09.2023
BC-FES-BUS-DSKCVE-2023-40624Security updates for the browser control Google Chromium delivered with SAP Business Client10.010.04.201812.09.2023
BC-XI-CON-UDSCVE-2022-41272Improper access control in SAP NetWeaver AS Java (User Defined Search)9.913.12.202212.09.2023
BI-RA-WBI-FECVE-2023-42472Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)8.712.09.2023
BC-CCM-HAGCVE-2023-40308Memory Corruption vulnerability in SAP CommonCryptoLib7.512.09.2023
BC-SYB-PDCVE-2023-40621Code Injection vulnerability in SAP PowerDesigner Client6.312.09.2023
MM-FIO-PUR-SQ-CONCVE-2023-40625Missing Authorization check in Manage Purchase Contracts App5.412.09.2023
BC-GPCVE-2023-41367Missing Authentication check in SAP NetWeaver (Guided Procedures)5.312.09.2023
BI-BIP-LCMCVE-2023-37489Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System)5.312.09.2023
FS-QUOCVE-2023-40308Denial of service (DOS) vulnerability in SAP Quotation Management Insurance (FS-QUO)5.712.09.2023
BC-WD-URCVE-2023-40624Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering)5.512.09.2023
BI-BIP-INSCVE-2023-40623Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer)6.212.09.2023
FI-FIO-AP-CHKCVE-2023-41368Insecure Direct Object Reference (IDOR) vulnerability in SAP S/4HANA (Manage checkbook apps)2.712.09.2023
FI-FIO-APCVE-2023-41369External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application)3.512.09.2023

Discovered by RedRays

Also, SAP has released a security update to address a vulnerability in the SAP Cloud Connector.

This vulnerability has been identified as CVE-2023-49578 and was discovered by the RedRays team. If exploited, the vulnerability can allow an authorized user with low privileges to launch a Denial of Service (DoS) attack. The attack can be executed from an UI by sending a malicious request, leading to impact on the availability of the application, with no impact on its confidentiality or integrity.

The vulnerability is due to missing input validation, and SAP has implemented appropriate input validation in the SAP Cloud Connector version 2.16.1 to address this issue. SAP advises all users to upgrade their existing Cloud Connector installations to this fixed version.

The update is available for download at https://tools.hana.ondemand.com/#cloud, and detailed instructions for the upgrade process can be found at https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/upgrade. Further information on fixes and new features is available at https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56?Component=Connectivity.

Statistics:

  • Total new SAP notes released: 16
  • Total vulnerabilities addressed: 16
  • Highest CVSS Score: 10.0 (HotNews)
  • Security updates for the browser control Google Chromium delivered with SAP Business Client – [CVE-2023-40624]

Top 3 Critical Issues:

  • BC-FES-BUS-DSK [CVE-2023-40624]: Security updates for the browser control Google Chromium delivered with SAP Business Client (CVSS Score: 10.0)
    This vulnerability could compromise the integrity and confidentiality of the SAP Business Client through the browser control.
  • BC-CP-CF-SEC-LIB [Multiple CVEs]: Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries (CVSS Score: 9.1)
    This issue allows unauthorized escalation of privileges, potentially compromising system security.
  • IS-OIL-DS-HPM [CVE-2023-36922]: OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) (CVSS Score: 9.1)
    This vulnerability allows attackers to execute arbitrary OS commands, posing a significant threat to the integrity and availability of the system.

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.