Skip links
RedRays - Your SAP Security Solution
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

SAP Security Patch Day – August 2023

On August 8, 2023, SAP released a new set of security patches to address various vulnerabilities in their products. This month’s SAP Security Patch Day focuses on resolving Program errors. Below is a detailed overview of the security notes sorted by their Common Vulnerability Scoring System (CVSS) score from highest to lowest:

  1. SAP BusinessObjects Business Intelligence Platform (BI-RA-WBI) – [CVE-2023-39440] CVSS Score: 4.4 (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N) Description: This note addresses an Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform. The correction has a medium priority.
  2. SAP Business One (SBO-CRO-SEC) – [CVE-2023-39437] CVSS Score: 7.6 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L) Description: This note resolves a Cross-Site Scripting (XSS) vulnerability in SAP Business One. The correction has a high priority.
  3. SAP BusinessObjects Business Intelligence Suite (BI-BIP-INS) – [CVE-2023-37490] CVSS Score: 7.6 (CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H) Description: This note fixes a Binary hijack in SAP BusinessObjects Business Intelligence Suite (installer). The correction has a high priority.
  4. SAP BusinessObjects Business Intelligence Platform (BI-BIP-CMC) – [CVE-2023-37490] CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Description: This note addresses a Denial of Service (DoS) vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC). The correction has a high priority.
  5. SAP NetWeaver AS ABAP and ABAP Platform (BC-CCM-CNF-PFL) – [CVE-2023-37492] CVSS Score: 4.9 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) Description: This note resolves a Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform. The correction has a medium priority.
  6. SAP Message Server (BC-CST-MS) – [CVE-2023-37491] CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) Description: This note fixes an Improper Authorization check vulnerability in SAP Message Server. The correction has a high priority.
  7. SAP PowerDesigner (BC-SYB-PD) – [CVE-2023-36923] CVSS Score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Description: This note addresses a Code Injection vulnerability in SAP PowerDesigner. The correction has a high priority.
  8. SAP PowerDesigner (BC-SYB-PD) – [CVE-2023-37483] CVSS Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Description: This note resolves Multiple Vulnerabilities in SAP PowerDesigner. The correction is classified as HotNews.
  9. SAP Host Agent (BC-CCM-HAG) – [CVE-2023-36926] CVSS Score: 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Description: This note addresses an Information disclosure vulnerability in SAP Host Agent. The correction has a low priority.
  10. SAP NetWeaver Process Integration (BC-XI-IBF-WU) – [CVE-2023-37488] CVSS Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Description: This note resolves a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Process Integration. The correction has a medium priority.
  11. SAP Business One (SBO-CRO-SEC) – [CVE-2023-37487] CVSS Score: 5.3 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) Description: This note addresses a Security Misconfiguration vulnerability in SAP Business One (Service Layer). The correction has a medium priority.
  12. SAP Business One (SBO-CRO-SEC) – [CVE-2023-33993] CVSS Score: 7.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H) Description: This note resolves an SQL Injection vulnerability in SAP Business One (B1i Layer). The correction has a high priority.
  13. SAP Commerce (CEC-SCC-COM-BC-OCC) – [CVE-2023-37486] CVSS Score: 5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Description: This note addresses an Information Disclosure vulnerability in SAP Commerce (OCC API). The correction has a medium priority.
  14. SAPUI5 (CA-UI5-COR) – [CVE-2023-37484] CVSS Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Description: This note resolves Cross-Site Scripting (XSS) vulnerabilities in the jQuery-UI library bundled with SAPUI5. The correction has a medium priority.
  15. SAP Supplier Relationship Management (SRM-EBP-ADM-XBP) – [CVE-2023-39436] CVSS Score: 5.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N) Description: This note addresses an Information Disclosure vulnerability in SAP Supplier Relationship Management. The correction has a medium priority.
  16. SAP Commerce Cloud (CEC-SCC-PLA-PL) – [CVE-2023-39439] CVSS Score: Not available Description: This note resolves an Improper authentication issue in SAP Commerce Cloud.

 

Statistics:

Total new SAP notes: 16 Total vulnerabilities addressed: 16

Highest CVSS Score: 9.8 (HotNews) – SAP PowerDesigner (BC-SYB-PD) – [CVE-2023-37483]

Description: This HotNews-rated note resolves multiple vulnerabilities in SAP PowerDesigner, with a critical CVSS score of 9.8.

The vulnerabilities addressed in this correction pose a significant risk to the system’s integrity and confidentiality, emphasizing the importance of applying this patch with utmost urgency.

Top 3 Critical Bugs:

  1. SAP PowerDesigner (BC-SYB-PD) – [CVE-2023-37483] CVSS Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Description: This HotNews-rated note addresses multiple vulnerabilities in SAP PowerDesigner. With a CVSS score of 9.8, these critical issues demand immediate attention to protect against potential exploitation and unauthorized access.
  2. SAP BusinessObjects Business Intelligence Suite (BI-BIP-INS) – [CVE-2023-37490] CVSS Score: 7.6 (CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H) Description: This high-priority note resolves a Binary hijack vulnerability in SAP BusinessObjects Business Intelligence Suite (installer) with a CVSS score of 7.6. As this vulnerability allows attackers to compromise system integrity and confidentiality, prompt action is advised to mitigate potential risks.
  3. SAP Business One (SBO-CRO-SEC) – [CVE-2023-39437] CVSS Score: 7.6 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L) Description: This high-priority note addresses a Cross-Site Scripting (XSS) vulnerability in SAP Business One with a CVSS score of 7.6. As XSS attacks can lead to data theft and unauthorized access, immediate patching is essential to protect the application and its users.

Priority Distribution: High (5), Medium (9), Low (1), HotNews (1)

Conclusion: This month’s SAP Security Patch Day covers a range of vulnerabilities with varying CVSS scores and priority levels. The top three critical bugs, including the HotNews-rated vulnerability in SAP PowerDesigner, underline the importance of applying these patches promptly to safeguard the SAP environment from potential threats and ensure the security and integrity of business-critical data.

More to explorer

SAP Cloud Connector Certificate Validation Issue

February 13, 2024

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,