On December 12, 2023, SAP once again demonstrated its commitment to cybersecurity by releasing a crucial set of security patches. These patches are designed to fix various vulnerabilities identified across various SAP products. The focus of this month’s SAP Security Patch Day is primarily on fixing program errors that have the potential to pose security risks. We have provided a detailed overview of the security notes released below, organized according to their severity as determined by the Common Vulnerability Scoring System (CVSS) scores:
| Vulnerability ID | CVE Number | Description | CVSS Score | Release Date | Update Date |
|---|---|---|---|---|---|
| BI-BIP-CMC | CVE-2023-25616 | Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) | 9.9 | 14.03.2023 | 12.09.2023 |
| BI-BIP-LCM | CVE-2023-40622 | Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management) | 9.9 | 12.09.2023 | – |
| BC-IAM-SSO-CCL | CVE-2023-40309 | Missing Authorization check in SAP CommonCryptoLib | 9.8 | 12.09.2023 | – |
| BC-FES-BUS-DSK | CVE-2023-40624 | Security updates for the browser control Google Chromium delivered with SAP Business Client | 10.0 | 10.04.2018 | 12.09.2023 |
| BC-XI-CON-UDS | CVE-2022-41272 | Improper access control in SAP NetWeaver AS Java (User Defined Search) | 9.9 | 13.12.2022 | 12.09.2023 |
| BI-RA-WBI-FE | CVE-2023-42472 | Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) | 8.7 | 12.09.2023 | – |
| BC-CCM-HAG | CVE-2023-40308 | Memory Corruption vulnerability in SAP CommonCryptoLib | 7.5 | 12.09.2023 | – |
| BC-SYB-PD | CVE-2023-40621 | Code Injection vulnerability in SAP PowerDesigner Client | 6.3 | 12.09.2023 | – |
| MM-FIO-PUR-SQ-CON | CVE-2023-40625 | Missing Authorization check in Manage Purchase Contracts App | 5.4 | 12.09.2023 | – |
| BC-GP | CVE-2023-41367 | Missing Authentication check in SAP NetWeaver (Guided Procedures) | 5.3 | 12.09.2023 | – |
| BI-BIP-LCM | CVE-2023-37489 | Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System) | 5.3 | 12.09.2023 | – |
| FS-QUO | CVE-2023-40308 | Denial of service (DOS) vulnerability in SAP Quotation Management Insurance (FS-QUO) | 5.7 | 12.09.2023 | – |
| BC-WD-UR | CVE-2023-40624 | Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering) | 5.5 | 12.09.2023 | – |
| BI-BIP-INS | CVE-2023-40623 | Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer) | 6.2 | 12.09.2023 | – |
| FI-FIO-AP-CHK | CVE-2023-41368 | Insecure Direct Object Reference (IDOR) vulnerability in SAP S/4HANA (Manage checkbook apps) | 2.7 | 12.09.2023 | – |
| FI-FIO-AP | CVE-2023-41369 | External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application) | 3.5 | 12.09.2023 | – |
Discovered by RedRays
Also, SAP has released a security update to address a vulnerability in the SAP Cloud Connector.
This vulnerability has been identified as CVE-2023-49578 and was discovered by the RedRays team. If exploited, the vulnerability can allow an authorized user with low privileges to launch a Denial of Service (DoS) attack. The attack can be executed from an UI by sending a malicious request, leading to impact on the availability of the application, with no impact on its confidentiality or integrity.
The vulnerability is due to missing input validation, and SAP has implemented appropriate input validation in the SAP Cloud Connector version 2.16.1 to address this issue. SAP advises all users to upgrade their existing Cloud Connector installations to this fixed version.
The update is available for download at https://tools.hana.ondemand.com/#cloud, and detailed instructions for the upgrade process can be found at https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/upgrade. Further information on fixes and new features is available at https://help.sap.com/whats-new/cf0cb2cb149647329b5d02aa96303f56?Component=Connectivity.
Statistics:
- Total new SAP notes released: 16
- Total vulnerabilities addressed: 16
- Highest CVSS Score: 10.0 (HotNews)
- Security updates for the browser control Google Chromium delivered with SAP Business Client – [CVE-2023-40624]
Top 3 Critical Issues:
- BC-FES-BUS-DSK [CVE-2023-40624]: Security updates for the browser control Google Chromium delivered with SAP Business Client (CVSS Score: 10.0)
This vulnerability could compromise the integrity and confidentiality of the SAP Business Client through the browser control.
- BC-CP-CF-SEC-LIB [Multiple CVEs]: Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries (CVSS Score: 9.1)
This issue allows unauthorized escalation of privileges, potentially compromising system security.
- IS-OIL-DS-HPM [CVE-2023-36922]: OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) (CVSS Score: 9.1)
This vulnerability allows attackers to execute arbitrary OS commands, posing a significant threat to the integrity and availability of the system.
