Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security Patch Day – July 2023

On July 11, 2023, SAP released several new and updated security patches. This month’s SAP Security Patch Day saw a variety of vulnerabilities addressed, with a particular focus on Program errors.

Detailed Overview of the New Security Notes

Here are the details of the new and updated security notes released in July, sorted by CVSS score from highest to lowest:

  1. SAP Business Client (BC-FES-BUS-DSK): Security updates for the browser control Google Chromium delivered with SAP Business Client were addressed with a CVSS score of 10.0. This correction was given the highest priority (HotNews).
  2. SAP ECC and SAP S/4HANA (IS-OIL) (IS-OIL-DS-HPM): An OS command injection vulnerability [CVE-2023-36922] was addressed with a CVSS score of 9.1. This correction was given the highest priority (HotNews).
  3. SAP NetWeaver (BI CONT ADD ON) (BW-BCT-GEN): A Directory Traversal vulnerability [CVE-2023-33989] was addressed with a CVSS score of 8.7. This correction was given a high priority.
  4. SAP Web Dispatcher (BC-CST-WDP): A Request smuggling and request concatenation vulnerability [CVE-2023-33987] was addressed with a CVSS score of 8.6. This correction was given a high priority.
  5. SAP SQL Anywhere (BC-SYB-SQA-SRV): A Denial of service (DOS) vulnerability [CVE-2023-33990] was addressed with a CVSS score of 7.8. This correction was given a high priority.
  6. SAP Web Dispatcher (BC-CST-WDP): A Memory Corruption [CVE-2023-35871] was addressed with a CVSS score of 7.7. This correction was given a high priority.
  7. SAP Solution Manager (Diagnostics agent) (SV-SMG-DIA-SRV-AGT): Two vulnerabilities were addressed. An Unauthenticated blind SSRF [CVE-2023-36925] and a Header Injection [CVE-2023-36921] both with a CVSS score of 7.2. These corrections were given a high priority.
  8. SAP NetWeaver Process Integration (BC-XI-IS-WKB): Two Missing Authentication checks were addressed [CVE-2023-35872, CVE-2023-35873] both with a CVSS score of 6.5. These corrections were given a medium priority.
  9. SAP NetWeaver AS ABAP and ABAP Platform (BC-MID-RFC): An Improper authentication vulnerability [CVE-2023-35874] was addressed with a CVSS score of 6.0. This correction was given a medium priority.
  10. SAP Enable Now (KM-SEN-MGR): Multiple Vulnerabilities were addressed with a CVSS score of 6.1. This correction was given a medium priority.
  11. SAP S/4HANA (Manage Journal Entry Template) (FI-FIO-GL-TRA): An Improper Access Control [CVE-2023-35870] was addressed with a CVSS score of 6.3. This correction was given a medium priority.
  12. SAP BusinessObjects Business Intelligence Platform (BI-BIP-SRV): A Password Change rate limit bypass [CVE-2023-36917] was addressed with a CVSS score of 5.9. This correction was given a medium priority.
  13. SAP NetWeaver AS for Java (Log Viewer) (BC-JAS-SEC): A Log Injection vulnerability [CVE-2023-31405] was addressed with a CVSS score of 5.3. This correction was given a medium priority.
  14. SAP ERP Defense Forces and Public Security (IS-DFS-BIT-DIS): A Log Injection vulnerability [CVE-2023-36924] was addressed with a CVSS score of 4.9. This correction was given a medium priority.
  15. SAP Business Warehouse and SAP BW/4HANA (BW-BEX-OT-BICS-PROV): A Missing Authorization Check [CVE-2023-33992] was addressed with a CVSS score of 4.5. This correction was given a medium priority.

Statistics:

  • Total new SAP notes: 16
  • Total updated SAP notes: 1 (SAP Business Client (BC-FES-BUS-DSK))
  • Vulnerabilities per system: SAP Solution Manager (2), SAP ECC and SAP S/4HANA (1), SAP NetWeaver (4), SAP Business Client (1), SAP BusinessObjects Business Intelligence Platform (1), SAP ERP Defense Forces and Public Security (1), SAP Business Warehouse and SAP BW/4HANA (1), SAP SQL Anywhere (1), SAP Enable Now (1), SAP S/4HANA (1)
  • Top 3 critical bugs: Security updates for the browser control Google Chromium delivered with SAP Business Client, OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL), Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON)

Conclusion

With a variety of new and updated SAP Security Notes, SAP’s July Patch Day was a busy one. Special attention should be paid to the high priority corrections, particularly those affecting SAP Business Client, SAP ECC and SAP S/4HANA (IS-OIL), and SAP NetWeaver (BI CONT ADD ON). As always, applying these patches as soon as possible is recommended to maintain the security and integrity of your SAP systems.

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.