SAP Patch Day: December 2023
Important Patch for SAP BTP Security Services Integration Libraries
Highlights of December SAP Security Notes analysis include:
- December Summary – Seventeen new and updated SAP security patches released, including four HotNews Notes and four High Priority Notes.
- HotNews for SAP BTP – Vulnerability in SAP BTP Security Services Integration Libraries can lead to a critical Escalation of Privileges
- Important Update for IS-OIL – Former HotNews patch was incomplete and requires update
SAP has published seventeen new and updated Security Notes on its December Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes four HotNews Notes and four High Priority Notes.
Two of the four HotNews Notes are updates on a critical OS Command Injection vulnerability in IS-OIL that was reported to SAP by the Onapsis Research Labs earlier this year. SAP Security Note #3350297, tagged with a CVSS score of 9.1, was initially released in July 2023 to patch this vulnerability. The note was updated by SAP with a reference to the new HotNews Note #3399691, stating that the vulnerability is only patched completely when applying both patches, #3350297 and #3399691. Both Security Notes point out that the corresponding patches may only be applied to a system if IS-OIL is activated. Ignoring this prerequisite can lead to serious system inconsistencies.
Another HotNews Note is the regularly recurring SAP Security Note #2622660 that provides an update for SAP Business Client, including the latest supported Chromium patches. SAP Business Client now supports Chromium version 119.0.6045.159 which fixes forty-four vulnerabilities in total, including three Critical and seventeen High Priority vulnerabilities. The maximum CVSS value of all fixed vulnerabilities in the context of SAP Business Client is 8.8.
The New HotNews Note in Detail
SAP Security Note #3411067, tagged with a CVSS score of 9.1, addresses a critical Escalation of Privileges vulnerability in SAP’s flagship application, SAP Business Technology Platform (SAP BTP). The vulnerability affects the SAP BTP Security Services Integration Libraries designed to simplify the integration of SAP BTP security services like the SAP Authorization and Trust Management Service (XSUAA) and other identity services. It allows an unauthenticated attacker to obtain arbitrary permissions within the application leading to high impact on the application’s confidentiality and integrity. The note lists the affected libraries and Programming Infrastructure versions and provides some hints and references on how to apply the updates. SAP has released a blog post on Security Note #3411067 that emphasizes the importance of updating the affected components. Unfortunately, it doesn’t provide any more details about the vulnerability.
High Priority SAP Security Notes
SAP Security Notes #3394567, tagged with a CVSS score of 8.1, patches an Improper Access Control vulnerability in SAP Commerce Cloud. If SAP Commerce Cloud – Composable Storefront is used as a storefront, locked users can use the Forgotten Password functionality to unlock their user since the loginDisabled flag for this user was incorrectly set to false during the password reset process. This allows a user who is actually blocked to regain access to the application, leading to considerable impact on confidentiality and integrity.
SAP Security Notes #3382353, tagged with a CVSS score of 7.5, addresses a Cross-Site Scripting vulnerability in SAP BusinessObjects Business Intelligence Platform. The vulnerability allows a highly privileged attacker to upload malicious documents into the system which, when opened by any other user, could lead to high impact on the integrity of the application. As a temporary workaround, customers can restrict the allowed file extensions for a file upload to minimize the risk of an exploit.
SAP Security Notes #3385711, tagged with a CVSS score of 7.3, describes an Information Disclosure vulnerability in SAP GUI for Windows and SAP GUI for Java. Under certain conditions, an unauthenticated attacker can get access to restricted and confidential information. The system’s confidentiality and availability can also be impacted since the vulnerability allows them to create Layout configurations of the ABAP List Viewer. Among others, this could result in an increase of AS ABAP response time.
A Missing Authorization Check vulnerability in the SAP EMARSYS SDK ANDROID allows an attacker with control over a victim’s mobile Android device to forward himself web pages and/or deep links without any validation directly from the host application. On successful exploitation, an attacker could navigate to arbitrary urls including application deep links on the device. SAP Security Note #3406244, tagged with a CVSS score of 7.1, provides a patch for this vulnerability as well as a temporary workaround.
Summary and Conclusion
With seventeen new and updated SAP Security Notes, including four HotNews Notes and four High Priority Notes, SAP’s December Patch Day represents an average Patch Day. SAP Security Note #3411067 for SAP BTP demonstrates once more that using a cloud solution does not prevent customers from establishing their own security and patch processes. SAP Product Expert Jürgen Adolf summarizes this in his blog post on Security Note #3411067:
“Security is a shared responsibility, and proactive measures are crucial to maintaining the integrity of our SAP BTP environments. By staying informed and promptly addressing security notes such as 3411067, we collectively contribute to a safer and more secure digital landscape.”
| SAP Note | Type | Description | Priority | CVSS |
| 3411067 | New | [Multiple CVEs] Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries BC-CP-CF-SEC-LIB | HotNews | 9,1 |
| 3395306 | New | [CVE-2023-49587] Command Injection vulnerability in SAP Solution Manager SV-SMG-IMP | Medium | 6,4 |
| 3159329 | New | Denial of service (DoS) vulnerability in JSZip library bundled within SAPUI5 CA-UI5-COR-FND | Medium | 5,3 |
| 3363690 | New | [CVE-2023-49058] Directory Traversal vulnerability in SAP Master Data Governance CA-MDG-ML | Low | 3,5 |
| 3406244 | New | [CVE-2023-6542] Missing Authorization Check in SAP EMARSYS SDK ANDROID CEC-EMA | High | 7,1 |
| 3406786 | New | [CVE-2023-49584] Client-Side Desynchronization vulnerability in SAP Fiori Launchpad CA-FLP-ABA | Medium | 4,3 |
| 3392547 | New | [CVE-2023-49581] SQL Injection vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform BC-CCM-MON-ORA | Medium | 4,1 |
| 3385711 | New | [CVE-2023-49580] Information disclosure vulnerability in SAP GUI for WIndows and SAP GUI for Java BC-FES-GUI | High | 7,3 |
| 3217087 | New | [CVE-2023-49577] Cross-Site Scripting (XSS) vulnerability in the SAP HCM (SMART PAYE solution) PY-IE | Medium | 6,1 |
| 3382353 | New | [CVE-2023-42478] Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform BI-BIP-ADM | High | 7,5 |
| 3399691 | New | Update 1 to 3350297 – [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) IS-OIL-DS-HPM | HotNews | 9,1 |
| 3362463 | New | [CVE-2023-49578] Denial of service (DOS) in SAP Cloud Connector BC-MID-SCC | Low | 3,5 |
| 3394567 | New | [CVE-2023-42481] Improper Access Control vulnerability in SAP Commerce Cloud CEC-COM-CPS | High | 8,1 |
| 3383321 | New | [CVE-2023-42479] Cross-Site Scripting (XSS) vulnerability in SAP Biller Direct FIN-FSCM-BD | Medium | 6,1 |
| 3369353 | New | [CVE-2023-42476] Cross Site Scripting vulnerability in SAP BusinessObjects Web Intelligence BI-RA-WBI-FE | Medium | 6,8 |
| 2622660 | Update | Security updates for the browser control Google Chromium delivered with SAP Business Client BC-FES-BUS-DSK | HotNews | 10,0 |
| 3350297 | Update | [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) IS-OIL-DS-HPM | HotNews | 9,1 |
And so, we bring our last SAP Patch Day blog for 2023 to a close. Through this past year, Onapsis Research Labs has continued to be the most prolific supplier of vulnerability research to the SAP Product Team. The Onapsis Platform is automatically updated with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.
We’ll see you here, same time and same place, next year when we kick off our recaps for 2024. For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, check out our previous Patch Day blogs and subscribe to our monthly Defenders Digest Newsletter.