Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

SAP Security Patch Day – May 2023

SAP released 27 new and updated security patches on May 9, 2023. This includes three HotNews Notes and nine High Priority Notes.

The HotNews Notes address vulnerabilities in SAP 3D Visual Enterprise License Manager and SAP BusinessObjects. The most critical vulnerability in SAP BusinessObjects allows an authenticated attacker with administrator privileges to get the login token of any logged-in BI user or server over the network without any user interaction. The attacker can then impersonate any user on the platform, access and modify data, or make the system partially or entirely unavailable.

The High Priority Notes address vulnerabilities in SAP NetWeaver AS JAVA, SAP IBP add-in for Microsoft Excel, SAP GUI for Windows, SAP Commerce, and SAP PowerDesigner. These vulnerabilities could allow an attacker to gain unauthorized access to systems, data, or functionality, or to disrupt or disable systems.

SAP customers are advised to apply the patches as soon as possible. The patches are available from the SAP Security Patch Tuesday website.

Here are some additional details about the vulnerabilities addressed in the May 2023 SAP Security Patch Tuesday:

1. SAP Note 2622660 – Security updates for the browser control Google Chromium delivered with SAP Business Client – CVSS: 10.0
 
2. SAP Note 3328495 – Multiple vulnerabilities associated with Reprise License Manager 14.2 component used with SAP 3D Visual Enterprise License Manager – CVSS: 9.8
 
3. SAP Note 3307833 – [CVE-2023-28762] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Console) – CVSS: 9.1
 
4. SAP Note 3323415 – [CVE-2023-29080] Privilege escalation vulnerability in SAP IBP, add-in for Microsoft Excel – CVSS: 8.2
 
5. SAP Note 3317453 – [CVE-2023-30744] Improper access control during application start-up in SAP AS NetWeaver JAVA – CVSS: 8.2
 
6. SAP Note 3300624 – [CVE-2023-32111] Memory Corruption vulnerability in SAP PowerDesigner (Proxy) – CVSS: 7.5
 
7. SAP Note 3320467 – [CVE-2023-32113] Information Disclosure vulnerability in SAP GUI for Windows – CVSS: 7.5
 
8. SAP Note 3320145 – Denial of service (DOS) in SAP Commerce – CVSS: 7.5
 
9. SAP Note 3213524 – [CVE-2022-32244] Information Disclosure vulnerability in SAP 
BusinessObjects Business Intelligence Platform (Commentary DB) – CVSS: 6.0
 
10. SAP Note 3309935 – [CVE-2023-30741] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform – CVSS: 6.1
 
11. SAP Note 3313484 – [CVE-2023-30740] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform – CVSS: 6.3
 
12. SAP Note 3315971 – [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) – CVSS: 6.1
 
13. SAP Note 3319400 – [CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform – CVSS: 6.1
 
14. SAP Note 3302595 – [CVE-2023-28764] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform – CVSS: 3.7
 
15. SAP Note 3117978 – [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service) – CVSS: 3.1
 
16. SAP Note 3309935 – [CVE-2023-30741] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform – CVSS: 6.1
 
17. SAP Note 3313484 – [CVE-2023-30740] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform – CVSS: 6.3
 
18. SAP Note 3315971 – [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) – CVSS: 6.1
 
19. SAP Note 3319400 – [CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform – CVSS: 6.1
 
20. SAP Note 3302595 – [CVE-2023-28764] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform – CVSS: 3.7
 
21. SAP Note 3117978 – [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service) – CVSS: 3.1
 
22. SAP Note 3309935 – [CVE-2023-30741] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform – CVSS: 6.1
 
23. SAP Note 3313484 – [CVE-2023-30740] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform – CVSS: 6.3
 
24. SAP Note 3315971 – [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) – CVSS: 6.1
 
25. SAP Note 3312892 – [CVE-2023-31407] Cross-Site Scripting (XSS) vulnerability in SAP Business Planning and Consolidation – CVSS: 5.4
 
26. SAP Note 2335198 – [CVE-2023-32112] Missing Authorization Check in Vendor Master Hierarchy – CVSS: 2.8
 
27. SAP Note 3145769 – [CVE-2022-27667] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC) – CVSS: 5.3
  

SAP customers are advised to review the SAP Security Patch Tuesday website for more information about these vulnerabilities and to download the patches as soon as possible.

More to explorer

SAP Cloud Connector Certificate Validation Issue

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,