SAP Security Patch Day June 2023
Cross-Site Scripting Never Gets Old
Highlights of June SAP Security Notes analysis include thirteen new and updated SAP security patches released, including four High Priority Notes. Cross-Site Scripting (XSS) as the most popular vulnerability, with eight notes released which patch this vulnerability in different components. This includes two out of four High Priority Notes and no Hot News this time. This month, the Onapsis Research Labs contributed to fixing one vulnerability that affects the Transport Management System and can lead to a Denial of Service.
Two of the High Priority Notes, #3326210 and #3324285, are affecting SAPUI5 component. The first one was released in May’s Patch Day and is now re-released with an updated Solution and Workaround. The second note is one of the eight XSS Security Notes and affects UI5 Management.
High-Priority SAP Security Notes in Detail
New High-Priority SAP Security Notes
SAP Security Note #3324285, with a CVSS score of 8.2, patches an issue in UI5 Variant Management that might lead to a Stored Cross-Site Scripting (Stored XSS) vulnerability. This vulnerability allows an attacker to gain user-level access and compromise the confidentiality, integrity, and availability of the UI5 Varian Management application.
The second new High Priority SAP Security Note is #3301942. This note is tagged with a CVSS score of 7.9. This vulnerability allows an attacker to connect to SAP Plant Connectivity as well as Production Connector for SAP Digital Manufacturing without a valid JSON Web Token (JWT), compromising their integrity and integration with SAP Digital Manufacturing. In order to fully patch this vulnerability, both components must be patched and JWT signature validation must be configured from the Cloud Connector settings.
Updates in previously released High Priority SAP Security Notes
SAP Security Note #3326210, tagged with a CVSS score of 7.1, was first released in May’s Patch Day and it is updated on this Patch Day. The Note patches an Improper Neutralization vulnerability in the sap.m.FormattedText SAPUI5 control allowing an attacker to read or modify a user’s information through a phishing attack. The update contains only minor textual or structural changes and adds support for SAP NetWeaver 7.58.
The remaining updated High Priority Note also contains minor textual or structural updates. SAP Security Note #3102769, tagged with a CVSS score of 8.8, contains a patch for a critical Cross-Site Scripting vulnerability in SAP Knowledge Warehouse. It also provides a workaround that describes the deactivation of the vulnerable displaying component. New patch-level patches are released for SAP NetWeaver 7.31 and 7.40.
Cross-Site Scripting SAP Security Notes
Despite the fact that there are only two High Priority SAP Security Notes that fix a Cross-site Scripting vulnerability, it is worth mentioning that six Medium Priority SAP Security Notes are released in this June Patch Day.
SAP Security Notes #3319400 and #3315971 were first released on May’s Patch Day and they are now updated. The first Note states that SAP Business Object 4.2 is unaffected by the vulnerability and removes this version from the list of affected ones. The case for Note #3315971 and the issue in SAP CRM is different. In this case, SAP is warning the users about the completeness of the fix and recommending r the implementation of SAP Security Note #3322800, released also on this Patch Day.
SAP Security Notes #2826092, #3331627 and #3318657 fix Cross-Site Scripting vulnerability in SAP CRM Grantor Management, SAP Enterprise Portal, and Design Time Repository, respectively. SAP Note #3318657 is tagged with a CVSS score of 6.4 and the other two are tagged, with a score of 6.1. The patch for all three of them only requires updating the affected component.
Further Contribution of the Onapsis Research Labs
The Onapsis Research Labs, inclusive of June, has now provided research contributions to SAP for thirty-seven patches in 2023. This month’s contribution is related to an issue in the Transport Management System.
A standard report can be used to generate and export an arbitrary number of transport requests, each of them containing several objects and each object having several keys. Each key generates multiple lines into the corresponding log file of the transport export.
When misused, an attacker can:
- Flood the number range for transport requests until it is full and thus no transports can be created at all
- Fill up the disk where the transport directory is located. If a central transport directory is used for multiple system landscapes, or if the disk is part of a central file server and used for other applications, these will become unavailable too.
This issue is patched in SAP Security Note #3325642 and it consists in removing that standard report.
Summary and Conclusion
With thirteen new and updated SAP Security Notes including four High Priority Notes and no HotNews Notes, SAP’s June Patch Day is not as busy as others have been. Special attention should be paid to the re-released Note #3315971 and it’s update #3322800 to fully fix the XSS vulnerability in SAP CRM.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, check out our previous Patch Day blogs and subscribe to our monthly Defenders Digest Newsletter.