Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security Patch Day – September 2023

On September 12, 2023, SAP has once again released a crucial set of security patches to address a myriad of vulnerabilities across its product line. This month’s SAP Security Patch Day primarily focuses on rectifying Program errors. Below is a comprehensive rundown of the security notes, sorted by their Common Vulnerability Scoring System (CVSS) scores:

HotNews

  • BI-BIP-CMC [CVE-2023-25616]: Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) with a CVSS score of 9.9. First released on 14.03.2023, updated on 12.09.2023.
  • BI-BIP-LCM [CVE-2023-40622]: Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management) with a CVSS score of 9.9. Released on 12.09.2023.
  • BC-IAM-SSO-CCL [CVE-2023-40309]: Missing Authorization check in SAP CommonCryptoLib with a CVSS score of 9.8. Released on 12.09.2023.
  • BC-FES-BUS-DSK [CVE-2023-40624]: Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS score of 10.0. First released on 10.04.2018, updated on 12.09.2023.
  • BC-XI-CON-UDS [CVE-2022-41272]: Improper access control in SAP NetWeaver AS Java (User Defined Search) with a CVSS score of 9.9. First released on 13.12.2022, updated on 12.09.2023.

High Priority

  • BI-RA-WBI-FE [CVE-2023-42472]: Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) with a CVSS score of 8.7. Released on 12.09.2023.
  • BC-CCM-HAG [CVE-2023-40308]: Memory Corruption vulnerability in SAP CommonCryptoLib with a CVSS score of 7.5. Released on 12.09.2023.

Medium Priority

  • BC-SYB-PD [CVE-2023-40621]: Code Injection vulnerability in SAP PowerDesigner Client with a CVSS score of 6.3. Released on 12.09.2023.
  • MM-FIO-PUR-SQ-CON [CVE-2023-40625]: Missing Authorization check in Manage Purchase Contracts App with a CVSS score of 5.4. Released on 12.09.2023.
  • BC-GP [CVE-2023-41367]: Missing Authentication check in SAP NetWeaver (Guided Procedures) with a CVSS score of 5.3. Released on 12.09.2023.
  • BI-BIP-LCM [CVE-2023-37489]: Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System) with a CVSS score of 5.3. Released on 12.09.2023.
  • FS-QUO [CVE-2023-40308]: Denial of service (DOS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP Quotation Management Insurance (FS-QUO) with a CVSS score of 5.7. Released on 12.09.2023.
  • BC-WD-UR [CVE-2023-40624]: Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering) with a CVSS score of 5.5. Released on 12.09.2023.
  • BI-BIP-INS [CVE-2023-40623]: Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer) with a CVSS score of 6.2. Released on 12.09.2023.

Low Priority

  • FI-FIO-AP-CHK [CVE-2023-41368]: Insecure Direct Object Reference (IDOR) vulnerability in SAP S/4HANA (Manage checkbook apps) with a CVSS score of 2.7. Released on 12.09.2023.
  • FI-FIO-AP [CVE-2023-41369]: External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application) with a CVSS score of 3.5. Released on 12.09.2023.

Statistics:

Total new SAP notes: 16
Total vulnerabilities addressed: 16
Highest CVSS Score: 10.0 (HotNews) – Security updates for the browser control Google Chromium delivered with SAP Business Client – [CVE-2023-40624]

Description: This HotNews-rated note addresses security updates for the browser control Google Chromium delivered with SAP Business Client, with a critical CVSS score of 10.0.

Top 2 Critical Bugs:

  1. BI-BIP-CMC [CVE-2023-25616]
    • CVSS Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
    • Description: This high-priority note resolves a Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) with a CVSS score of 9.9. As this vulnerability allows attackers to compromise system integrity and confidentiality, prompt action is advised to mitigate potential risks.
  2. BC-XI-CON-UDS [CVE-2022-41272]
    • CVSS Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L)
    • Description: This high-priority note addresses an Improper access control in SAP NetWeaver AS Java (User Defined Search) with a CVSS score of 9.9. As this vulnerability allows unauthorized access, immediate patching is essential to protect the application and its users.

Explore More

RedRays AI for ABAP Code Security

Empowering Secure, Efficient, and Compliant SAP ABAP Development—in Real Time and Without Data Retention In today’s rapidly evolving business landscape, organizations increasingly

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.