Critical Patches for SAP BusinessObjects and SAP CommonCryptoLib released
Highlights of September SAP Security Notes analysis include:
- September Summary—Eighteen new and updated SAP security patches released, including five HotNews Notes and two High Priority Notes
- SAP BusinessObjects in Focus—Five patches released, including two HotNews Notes and one High Priority Note
- Onapsis Research Labs Contribution—Our team supported SAP in patching a High Priority vulnerability in SAP CommonCryptoLib
SAP has published eighteen new and updated Security Notes on its September Patch Day (including the notes that were released or updated since last Patch Tuesday.) This includes five HotNews Notes and two High Priority Notes.
One of the five HotNews Notes is the regularly recurring SAP Security Note #2622660 that provides an update for SAP Business Client including the latest supported Chromium patches. SAP Business Client now supports Chromium version 116.0.5845.97 which fixes sixty-seven vulnerabilities in total including one Critical and thirty-one High Priority vulnerabilities. The maximum CVSS value of all fixed vulnerabilities is 8.8.
HotNews Note #3245526, tagged with a CVSS score of 9.9, is an update to a patch that was initially released by SAP in March 2023. It fixes a serious Code Injection vulnerability in SAP BusinessObjects. The ‘Support Packages & Patches’ section of the note was updated with the latest patch levels.
HotNews Note #3273480, tagged with a CVSS score of 9.9, is another update that only became necessary because the Security Note was accidentally previously deleted. There is no customer action required.
The New HotNews Notes in Detail
SAP Security Note #3320355, tagged with a CVSS score of 9.9, is a new HotNews Note for SAP BusinessObjects. The job folder of the Promotion Management component is vulnerable to an Information Disclosure. A successful exploit provides information that can be used in subsequent attacks, leading to a complete compromise of the application. As a workaround, SAP recommends granting appropriate rights only for the required user to access and perform promotions using Promotion Management. Normal users do not have view rights by default however the users of the administrator group should be explicitly denied view rights on the Promotion jobs folder.
SAP Security Note #3340576, tagged with a CVSS score of 9.8, is the second new HotNews Note of SAP’s September Patch Day. Missing or wrong authorization checks in SAP CommonCryptoLib can result in an escalation of privileges. The resulting impact depends on the application and on the level of acquired privileges. In the worst case, attackers can compromise the affected application completely.
High Priority SAP Security Notes
In addition to the HotNews Notes for SAP BusinessObjects and SAP CommonCryptoLib, SAP has also released High Priority Notes for these two applications.
SAP Security Note #3370490, tagged with a CVSS score of 8.7, patches an Insufficient File Type Validation vulnerability in the Web Intelligence HTML interface of SAP BusinessObjects Business Intelligence Platform. While uploading a local image file as part of a report creation, an authenticated attacker could intercept the request and modify the content type and the file extension. This would allow them to read and modify sensitive data causing a high impact on confidentiality and integrity of the application.
The Onapsis Research Labs supported SAP in patching a High Priority Memory Corruption vulnerability in SAP CommonCryptoLib. The corresponding SAP Security Note #3327896, tagged with a CVSS score of 7.5, provides patches for all affected applications:
- Kernel Patch for SAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premise
- SAPSSOEXT Library
- SAP Web Dispatcher
- SAP Host Agent
- SAP Content Server
- SAP HANA Database
- SAP Extended Application Services and Runtime (XSA)
The good news is that all patches for HotNews Note #3340576 automatically patch this vulnerability, too. There is only one exception. While the HotNews Note does not affect SAP HANA revisions based on 2.0 SPS 05, #3327896 does. The required revision for patching #3327896 is 2.00.059.10.
Information for SAP BusinessObjects Customers
SAP provided five Patches in total for SAP BusinessObjects. The following table represents a quick reference to identify which SP levels are affected by which vulnerabilities and the patch levels that fixes them:
SAP Note | CVSS | Software Component Version | Affected SP | Patch Level |
---|---|---|---|---|
#3320355 | 9.9 | SBOP BI PLATFORM SERVERS 4.2 SBOP BI PLATFORM SERVERS 4.3 |
SP009 SP002 SP003 SP004 |
001600 001201 000600 000000 |
#3245526 | 9.9 | SBOP BI PLATFORM SERVERS 4.2
SBOP BI PLATFORM SERVERS 4.3 |
SP009 SP002 SP003 SP004 |
001300 001000 000100 000000 |
#3370490 | 8.7 | SBOP BI PLATFORM SERVERS 4.2 | SP009 | 001600 |
#3317702 | 6.2 | SBOP BI PLATFORM SERVERS 4.2 SBOP BI PLATFORM SERVERS 4.3 SBOP BI PLATFORM CLIENTS 4.2 SBOP BI PLATFORM CLIENTS 4.3 |
SP009 SP003 SP009 SP003 |
001600 000600 001600 000600 |
#3352453 | 5.3 | SBOP BI PLATFORM SERVERS 4.3 | SP003 SP004 |
000600 000000 |
Summarizing this information, all SAP BusinessObjects vulnerabilities are fixed with the following Patch Levels:
Software Component Version | Affected SP | Patch Level |
---|---|---|
SBOP BI PLATFORM SERVERS 4.2
SBOP BI PLATFORM CLIENTS 4.2 SBOP BI PLATFORM CLIENTS 4.3 |
SP009 SP009 SP002 SP003 SP004 SP003 |
001600 001600 001201 000600 000000 000600 |
Summary and Conclusion
With eighteen new and updated SAP Security Notes, including five HotNews Notes and two High Priority Notes, SAP’s September Patch Day seems to be a busy one. But since two HotNews Notes are only minor updates that do not require customer actions and not much effort is needed to implement SAP BusinessObjects and SAPCryptoLib notes, the patching effort is manageable.
SAP Note | Type | Description | Priority | CVSS |
3245526 | Update | [CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC)
BI-BIP-CMC |
HotNews | 9,9 |
3357163 | New | [CVE-2023-40621] Code Injection vulnerability in SAP PowerDesigner Client
BC-SYB-PD |
Medium | 6,3 |
3355675 | New | [CVE-2023-41368] Insecure Direct Object Reference (IDOR) vulnerability in SAP S/4HANA (Manage checkbook apps)
FI-FIO-AP-CHK |
Low | 2,7 |
3326361 | New | [CVE-2023-40625] Missing Authorization check in Manage Purchase Contracts App
MM-FIO-PUR-SQ-CON |
Medium | 5,4 |
3370490 | New | [CVE-2023-42472] Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
BI-RA-WBI-FE |
High | 8,7 |
3348142 | New | [CVE-2023-41367] Missing Authentication check in SAP NetWeaver (Guided Procedures)
BC-GP |
Medium | 5,3 |
3352453 | New | [CVE-2023-37489] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System)
BI-BIP-LCM |
Medium | 5,3 |
3349805 | New | Denial of service (DOS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP Quotation Management Insurance (FS-QUO)
FS-QUO |
Medium | 5,7 |
3327896 | New | [CVE-2023-40308] Memory Corruption vulnerability in SAP CommonCryptoLib
BC-IAM-SSO-CCL |
High | 7,5 |
3323163 | New | [CVE-2023-40624] Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering)
BC-WD-UR |
Medium | 5,5 |
3320355 | New | [CVE-2023-40622] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management)
BI-BIP-LCM |
HotNews | 9,9 |
3317702 | New | [CVE-2023-40623] Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer)
BI-BIP-INS |
Medium | 6,2 |
2622660 | Update | Security updates for the browser control Google Chromium delivered with SAP Business Client
BC-FES-BUS-DSK |
HotNews | 10,0 |
3273480 | Update | [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search)
BC-XI-CON-UDS |
HotNews | 9,9 |
3369680 | New | [CVE-2023-41369] External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application)
FI-FIO-AP |
Low | 3,5 |
3340576 | New | [CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib
BC-IAM-SSO-CCL |
HotNews | 9,8 |
3156972 | Update | [CVE-2023-40306] URL Redirection vulnerability in SAP S/4HANA (Manage Catalog Items and Cross-Catalog search)
MM-FIO-PUR-REQ-SSP |
Medium | 6,1 |
3149794 | Update | Cross-Site Scripting (XSS) vulnerabilities in jQuery-UI library bundled with SAPUI5
CA-UI5-COR |
Medium | 6,1 |
Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, view The Defenders Digest–our monthly video recap of ERP security news.
Source: Onapsis-Blog
Sie haben Fragen? Ihr Ansprechpartner für D/A/CH
Do you have any questions? Your contact person for D/A/CH