Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

SAP Security Patch Day – September 2023

On September 12, 2023, SAP has once again released a crucial set of security patches to address a myriad of vulnerabilities across its product line. This month’s SAP Security Patch Day primarily focuses on rectifying Program errors. Below is a comprehensive rundown of the security notes, sorted by their Common Vulnerability Scoring System (CVSS) scores:

HotNews

  • BI-BIP-CMC [CVE-2023-25616]: Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) with a CVSS score of 9.9. First released on 14.03.2023, updated on 12.09.2023.
  • BI-BIP-LCM [CVE-2023-40622]: Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management) with a CVSS score of 9.9. Released on 12.09.2023.
  • BC-IAM-SSO-CCL [CVE-2023-40309]: Missing Authorization check in SAP CommonCryptoLib with a CVSS score of 9.8. Released on 12.09.2023.
  • BC-FES-BUS-DSK [CVE-2023-40624]: Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS score of 10.0. First released on 10.04.2018, updated on 12.09.2023.
  • BC-XI-CON-UDS [CVE-2022-41272]: Improper access control in SAP NetWeaver AS Java (User Defined Search) with a CVSS score of 9.9. First released on 13.12.2022, updated on 12.09.2023.

High Priority

  • BI-RA-WBI-FE [CVE-2023-42472]: Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) with a CVSS score of 8.7. Released on 12.09.2023.
  • BC-CCM-HAG [CVE-2023-40308]: Memory Corruption vulnerability in SAP CommonCryptoLib with a CVSS score of 7.5. Released on 12.09.2023.

Medium Priority

  • BC-SYB-PD [CVE-2023-40621]: Code Injection vulnerability in SAP PowerDesigner Client with a CVSS score of 6.3. Released on 12.09.2023.
  • MM-FIO-PUR-SQ-CON [CVE-2023-40625]: Missing Authorization check in Manage Purchase Contracts App with a CVSS score of 5.4. Released on 12.09.2023.
  • BC-GP [CVE-2023-41367]: Missing Authentication check in SAP NetWeaver (Guided Procedures) with a CVSS score of 5.3. Released on 12.09.2023.
  • BI-BIP-LCM [CVE-2023-37489]: Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System) with a CVSS score of 5.3. Released on 12.09.2023.
  • FS-QUO [CVE-2023-40308]: Denial of service (DOS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP Quotation Management Insurance (FS-QUO) with a CVSS score of 5.7. Released on 12.09.2023.
  • BC-WD-UR [CVE-2023-40624]: Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering) with a CVSS score of 5.5. Released on 12.09.2023.
  • BI-BIP-INS [CVE-2023-40623]: Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer) with a CVSS score of 6.2. Released on 12.09.2023.

Low Priority

  • FI-FIO-AP-CHK [CVE-2023-41368]: Insecure Direct Object Reference (IDOR) vulnerability in SAP S/4HANA (Manage checkbook apps) with a CVSS score of 2.7. Released on 12.09.2023.
  • FI-FIO-AP [CVE-2023-41369]: External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application) with a CVSS score of 3.5. Released on 12.09.2023.

Statistics:

Total new SAP notes: 16
Total vulnerabilities addressed: 16
Highest CVSS Score: 10.0 (HotNews) – Security updates for the browser control Google Chromium delivered with SAP Business Client – [CVE-2023-40624]

Description: This HotNews-rated note addresses security updates for the browser control Google Chromium delivered with SAP Business Client, with a critical CVSS score of 10.0.

Top 2 Critical Bugs:

  1. BI-BIP-CMC [CVE-2023-25616]
    • CVSS Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
    • Description: This high-priority note resolves a Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) with a CVSS score of 9.9. As this vulnerability allows attackers to compromise system integrity and confidentiality, prompt action is advised to mitigate potential risks.
  2. BC-XI-CON-UDS [CVE-2022-41272]
    • CVSS Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L)
    • Description: This high-priority note addresses an Improper access control in SAP NetWeaver AS Java (User Defined Search) with a CVSS score of 9.9. As this vulnerability allows unauthorized access, immediate patching is essential to protect the application and its users.

More to explorer

SAP Security Insights

Introduction As companies increasingly rely on SAP for their ERP system, safeguarding critical assets and sensitive data within the SAP landscape becomes

SAP Security For All

RedRays Security Platform for Penetration testers and Bug hunters

The product package is specifically created for cyber security experts who have encountered SAP while participating in bug bounty programs.

RedRays Security Platform for SAP Consultants

The product package is designed for SAP consultants conducting security assessments of SAP ERP systems. We provide essential tools and resources to help professionals in this field conduct their work effectively.

RedRays Security Platform for Enterprises

The product package is specifically optimized to cater to the needs of both small/medium and large companies who are seeking to streamline the process of organizing a comprehensive security system for ERP systems.