Skip links
RedRays - Your SAP Security Solution
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy

SAP Security Patch Day – August 2023

On August 8, 2023, SAP released a new set of security patches to address various vulnerabilities in their products. This month’s SAP Security Patch Day focuses on resolving Program errors. Below is a detailed overview of the security notes sorted by their Common Vulnerability Scoring System (CVSS) score from highest to lowest:

  1. SAP BusinessObjects Business Intelligence Platform (BI-RA-WBI) – [CVE-2023-39440] CVSS Score: 4.4 (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N) Description: This note addresses an Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform. The correction has a medium priority.
  2. SAP Business One (SBO-CRO-SEC) – [CVE-2023-39437] CVSS Score: 7.6 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L) Description: This note resolves a Cross-Site Scripting (XSS) vulnerability in SAP Business One. The correction has a high priority.
  3. SAP BusinessObjects Business Intelligence Suite (BI-BIP-INS) – [CVE-2023-37490] CVSS Score: 7.6 (CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H) Description: This note fixes a Binary hijack in SAP BusinessObjects Business Intelligence Suite (installer). The correction has a high priority.
  4. SAP BusinessObjects Business Intelligence Platform (BI-BIP-CMC) – [CVE-2023-37490] CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Description: This note addresses a Denial of Service (DoS) vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC). The correction has a high priority.
  5. SAP NetWeaver AS ABAP and ABAP Platform (BC-CCM-CNF-PFL) – [CVE-2023-37492] CVSS Score: 4.9 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) Description: This note resolves a Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform. The correction has a medium priority.
  6. SAP Message Server (BC-CST-MS) – [CVE-2023-37491] CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) Description: This note fixes an Improper Authorization check vulnerability in SAP Message Server. The correction has a high priority.
  7. SAP PowerDesigner (BC-SYB-PD) – [CVE-2023-36923] CVSS Score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Description: This note addresses a Code Injection vulnerability in SAP PowerDesigner. The correction has a high priority.
  8. SAP PowerDesigner (BC-SYB-PD) – [CVE-2023-37483] CVSS Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Description: This note resolves Multiple Vulnerabilities in SAP PowerDesigner. The correction is classified as HotNews.
  9. SAP Host Agent (BC-CCM-HAG) – [CVE-2023-36926] CVSS Score: 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Description: This note addresses an Information disclosure vulnerability in SAP Host Agent. The correction has a low priority.
  10. SAP NetWeaver Process Integration (BC-XI-IBF-WU) – [CVE-2023-37488] CVSS Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Description: This note resolves a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Process Integration. The correction has a medium priority.
  11. SAP Business One (SBO-CRO-SEC) – [CVE-2023-37487] CVSS Score: 5.3 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) Description: This note addresses a Security Misconfiguration vulnerability in SAP Business One (Service Layer). The correction has a medium priority.
  12. SAP Business One (SBO-CRO-SEC) – [CVE-2023-33993] CVSS Score: 7.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H) Description: This note resolves an SQL Injection vulnerability in SAP Business One (B1i Layer). The correction has a high priority.
  13. SAP Commerce (CEC-SCC-COM-BC-OCC) – [CVE-2023-37486] CVSS Score: 5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Description: This note addresses an Information Disclosure vulnerability in SAP Commerce (OCC API). The correction has a medium priority.
  14. SAPUI5 (CA-UI5-COR) – [CVE-2023-37484] CVSS Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Description: This note resolves Cross-Site Scripting (XSS) vulnerabilities in the jQuery-UI library bundled with SAPUI5. The correction has a medium priority.
  15. SAP Supplier Relationship Management (SRM-EBP-ADM-XBP) – [CVE-2023-39436] CVSS Score: 5.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N) Description: This note addresses an Information Disclosure vulnerability in SAP Supplier Relationship Management. The correction has a medium priority.
  16. SAP Commerce Cloud (CEC-SCC-PLA-PL) – [CVE-2023-39439] CVSS Score: Not available Description: This note resolves an Improper authentication issue in SAP Commerce Cloud.

 

Statistics:

Total new SAP notes: 16 Total vulnerabilities addressed: 16

Highest CVSS Score: 9.8 (HotNews) – SAP PowerDesigner (BC-SYB-PD) – [CVE-2023-37483]

Description: This HotNews-rated note resolves multiple vulnerabilities in SAP PowerDesigner, with a critical CVSS score of 9.8.

The vulnerabilities addressed in this correction pose a significant risk to the system’s integrity and confidentiality, emphasizing the importance of applying this patch with utmost urgency.

Top 3 Critical Bugs:

  1. SAP PowerDesigner (BC-SYB-PD) – [CVE-2023-37483] CVSS Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Description: This HotNews-rated note addresses multiple vulnerabilities in SAP PowerDesigner. With a CVSS score of 9.8, these critical issues demand immediate attention to protect against potential exploitation and unauthorized access.
  2. SAP BusinessObjects Business Intelligence Suite (BI-BIP-INS) – [CVE-2023-37490] CVSS Score: 7.6 (CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H) Description: This high-priority note resolves a Binary hijack vulnerability in SAP BusinessObjects Business Intelligence Suite (installer) with a CVSS score of 7.6. As this vulnerability allows attackers to compromise system integrity and confidentiality, prompt action is advised to mitigate potential risks.
  3. SAP Business One (SBO-CRO-SEC) – [CVE-2023-39437] CVSS Score: 7.6 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L) Description: This high-priority note addresses a Cross-Site Scripting (XSS) vulnerability in SAP Business One with a CVSS score of 7.6. As XSS attacks can lead to data theft and unauthorized access, immediate patching is essential to protect the application and its users.

Priority Distribution: High (5), Medium (9), Low (1), HotNews (1)

Conclusion: This month’s SAP Security Patch Day covers a range of vulnerabilities with varying CVSS scores and priority levels. The top three critical bugs, including the HotNews-rated vulnerability in SAP PowerDesigner, underline the importance of applying these patches promptly to safeguard the SAP environment from potential threats and ensure the security and integrity of business-critical data.

Explore More

RedRays AI for ABAP Code Security

December 17, 2024

Empowering Secure, Efficient, and Compliant SAP ABAP Development—in Real Time and Without Data Retention In today’s rapidly evolving business landscape, organizations increasingly

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series. 

JOIN