Share
Beitragsbild zu SAP Patch Day: September 2023

SAP Patch Day: September 2023

Critical Patches for SAP BusinessObjects and SAP CommonCryptoLib released

Highlights of September SAP Security Notes analysis include:

  • September Summary—Eighteen new and updated SAP security patches released, including five HotNews Notes and two High Priority Notes
  • SAP BusinessObjects in Focus—Five patches released, including two HotNews Notes and one High Priority Note
  • Onapsis Research Labs Contribution—Our team supported SAP in patching a High Priority vulnerability in SAP CommonCryptoLib

SAP has published eighteen new and updated Security Notes on its September Patch Day (including the notes that were released or updated since last Patch Tuesday.) This includes five HotNews Notes and two High Priority Notes.

One of the five HotNews Notes is the regularly recurring SAP Security Note #2622660 that provides an update for SAP Business Client including the latest supported Chromium patches. SAP Business Client now supports Chromium version 116.0.5845.97 which fixes sixty-seven vulnerabilities in total including one Critical and thirty-one High Priority vulnerabilities. The maximum CVSS value of all fixed vulnerabilities is 8.8.

HotNews Note #3245526, tagged with a CVSS score of 9.9, is an update to a patch that was initially released by SAP in March 2023. It fixes a serious Code Injection vulnerability in SAP BusinessObjects. The ‘Support Packages & Patches’ section of the note was updated with the latest patch levels.

HotNews Note #3273480, tagged with a CVSS score of 9.9, is another update that only became necessary because the Security Note was accidentally previously deleted. There is no customer action required.

The New HotNews Notes in Detail

SAP Security Note #3320355, tagged with a CVSS score of 9.9, is a new HotNews Note for SAP BusinessObjects. The job folder of the Promotion Management component is vulnerable to an Information Disclosure. A successful exploit provides information that can be used in subsequent attacks, leading to a complete compromise of the application. As a workaround, SAP recommends granting appropriate rights only for the required user to access and perform promotions using Promotion Management. Normal users do not have view rights by default however the users of the administrator group should be explicitly denied view rights on the Promotion jobs folder.

SAP Security Note #3340576, tagged with a CVSS score of 9.8, is the second new HotNews Note of SAP’s September Patch Day. Missing or wrong authorization checks in SAP CommonCryptoLib can result in an escalation of privileges. The resulting impact depends on the application and on the level of acquired privileges. In the worst case, attackers can compromise the affected application completely.

High Priority SAP Security Notes

In addition to the HotNews Notes for SAP BusinessObjects and SAP CommonCryptoLib, SAP has also released High Priority Notes for these two applications.

SAP Security Note #3370490, tagged with a CVSS score of 8.7, patches an Insufficient File Type Validation vulnerability in the Web Intelligence HTML interface of SAP BusinessObjects Business Intelligence Platform. While uploading a local image file as part of a report creation,  an authenticated attacker could intercept the request and modify the content type and the file extension. This would allow them to read and modify sensitive data causing a high impact on confidentiality and integrity of the application.

The Onapsis Research Labs supported SAP in patching a High Priority Memory Corruption vulnerability in SAP CommonCryptoLib. The corresponding SAP Security Note #3327896, tagged with a CVSS score of 7.5, provides patches for all affected applications:

  • Kernel Patch for SAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premise
  • SAPSSOEXT Library
  • SAP Web Dispatcher
  • SAP Host Agent
  • SAP Content Server
  • SAP HANA Database
  • SAP Extended Application Services and Runtime (XSA)

The good news is that all patches for HotNews Note #3340576 automatically patch this vulnerability, too. There is only one exception. While the HotNews Note does not affect SAP HANA revisions based on 2.0 SPS 05, #3327896 does. The required revision for patching #3327896 is 2.00.059.10.

Information for SAP BusinessObjects Customers

SAP provided five Patches in total for SAP BusinessObjects. The following table represents a quick reference to identify which SP levels are affected by which vulnerabilities and the patch levels that fixes them:

SAP Note CVSS Software Component Version Affected SP Patch Level
#3320355 9.9 SBOP BI PLATFORM SERVERS 4.2
SBOP BI PLATFORM SERVERS 4.3
SP009
SP002
SP003
SP004
001600
001201
000600
000000
#3245526 9.9 SBOP BI PLATFORM SERVERS 4.2

SBOP BI PLATFORM SERVERS 4.3

SP009
SP002
SP003
SP004
001300
001000
000100
000000
#3370490 8.7 SBOP BI PLATFORM SERVERS 4.2 SP009 001600
#3317702 6.2 SBOP BI PLATFORM SERVERS 4.2
SBOP BI PLATFORM SERVERS 4.3
SBOP BI PLATFORM CLIENTS 4.2
SBOP BI PLATFORM CLIENTS 4.3
SP009
SP003
SP009
SP003
001600
000600
001600
000600
#3352453 5.3 SBOP BI PLATFORM SERVERS 4.3 SP003
SP004
000600
000000

Summarizing this information, all SAP BusinessObjects vulnerabilities are fixed with the following Patch Levels:

Software Component Version Affected SP Patch Level
SBOP BI PLATFORM SERVERS 4.2

SBOP BI PLATFORM CLIENTS 4.2
SBOP BI PLATFORM SERVERS 4.3

SBOP BI PLATFORM CLIENTS 4.3

SP009
SP009
SP002
SP003
SP004
SP003
001600
001600
001201
000600
000000
000600
Summary and Conclusion

With eighteen new and updated SAP Security Notes, including five HotNews Notes and two High Priority Notes, SAP’s September Patch Day seems to be a busy one. But since two HotNews Notes are only minor updates that do not require customer actions and not much effort is needed to implement SAP BusinessObjects and SAPCryptoLib notes, the patching effort is manageable.

SAP Note Type Description Priority CVSS
3245526 Update [CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC)

BI-BIP-CMC

HotNews 9,9
3357163 New [CVE-2023-40621] Code Injection vulnerability in SAP PowerDesigner Client

BC-SYB-PD

Medium 6,3
3355675 New [CVE-2023-41368] Insecure Direct Object Reference (IDOR) vulnerability in SAP S/4HANA (Manage checkbook apps)

FI-FIO-AP-CHK

Low 2,7
3326361 New [CVE-2023-40625] Missing Authorization check in Manage Purchase Contracts App

MM-FIO-PUR-SQ-CON

Medium 5,4
3370490 New [CVE-2023-42472] Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)

BI-RA-WBI-FE

High 8,7
3348142 New [CVE-2023-41367] Missing Authentication check in SAP NetWeaver (Guided Procedures)

BC-GP

Medium 5,3
3352453 New [CVE-2023-37489] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System)

BI-BIP-LCM

Medium 5,3
3349805 New Denial of service (DOS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP Quotation Management Insurance (FS-QUO)

FS-QUO

Medium 5,7
3327896 New [CVE-2023-40308] Memory Corruption vulnerability in SAP CommonCryptoLib

BC-IAM-SSO-CCL

High 7,5
3323163 New [CVE-2023-40624] Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering)

BC-WD-UR

Medium 5,5
3320355 New [CVE-2023-40622] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management)

 

BI-BIP-LCM

HotNews 9,9
3317702 New [CVE-2023-40623] Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer)

BI-BIP-INS

Medium 6,2
2622660 Update Security updates for the browser control Google Chromium delivered with SAP Business Client

BC-FES-BUS-DSK

HotNews 10,0
3273480 Update [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search)

BC-XI-CON-UDS

HotNews 9,9
3369680 New [CVE-2023-41369] External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application)

FI-FIO-AP

Low 3,5
3340576 New [CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib

BC-IAM-SSO-CCL

HotNews 9,8
3156972 Update [CVE-2023-40306] URL Redirection vulnerability in SAP S/4HANA (Manage Catalog Items and Cross-Catalog search)

MM-FIO-PUR-REQ-SSP

Medium 6,1
3149794 Update Cross-Site Scripting (XSS) vulnerabilities in jQuery-UI library bundled with SAPUI5

CA-UI5-COR

Medium 6,1

Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, view The Defenders Digest–our monthly video recap of ERP security news.

By Thomas Fritsch

Source: Onapsis-Blog

Sie haben Fragen? Ihr Ansprechpartner für D/A/CH

Do you have any questions? Your contact person for D/A/CH

Thomas Fritsch, Onapsis

 

 

Firma zum Thema

onapsis