Share
Beitragsbild zu SAP Security Patch Day June 2023

SAP Security Patch Day June 2023

Cross-Site Scripting Never Gets Old

Highlights of June SAP Security Notes analysis include thirteen new and updated SAP security patches released, including four High Priority Notes. Cross-Site Scripting (XSS) as the most popular vulnerability, with eight notes released which patch this vulnerability in different components. This includes two out of four High Priority Notes and no Hot News this time. This month, the Onapsis Research Labs contributed to fixing one vulnerability that affects the Transport Management System and can lead to a Denial of Service.

Two of the High Priority Notes, #3326210 and #3324285, are affecting SAPUI5 component. The first one was released in May’s Patch Day and is now re-released with an updated Solution and Workaround. The second note is one of the eight XSS Security Notes and affects UI5 Management.

High-Priority SAP Security Notes in Detail

New High-Priority SAP Security Notes

SAP Security Note #3324285, with a CVSS score of 8.2, patches an issue in UI5 Variant Management that might lead to a Stored Cross-Site Scripting (Stored XSS) vulnerability. This vulnerability allows an attacker to gain user-level access and compromise the confidentiality, integrity, and availability of the UI5 Varian Management application.

The second new High Priority SAP Security Note is #3301942. This note is tagged with a CVSS score of 7.9. This vulnerability allows an attacker to connect to SAP Plant Connectivity as well as Production Connector for SAP Digital Manufacturing without a valid JSON Web Token (JWT), compromising their integrity and integration with SAP Digital Manufacturing. In order to fully patch this vulnerability, both components must be patched and JWT signature validation must be configured from the Cloud Connector settings.

Updates in previously released High Priority SAP Security Notes

SAP Security Note #3326210, tagged with a CVSS score of 7.1, was first released in May’s Patch Day and it is updated on this Patch Day. The Note patches an Improper Neutralization vulnerability in the sap.m.FormattedText SAPUI5 control allowing an attacker to read or modify a user’s information through a phishing attack. The update contains only minor textual or structural changes and adds support for SAP NetWeaver 7.58.

The remaining updated High Priority Note also contains minor textual or structural updates. SAP Security Note #3102769, tagged with a CVSS score of 8.8, contains a patch for a critical Cross-Site Scripting vulnerability in SAP Knowledge Warehouse. It also provides a workaround that describes the deactivation of the vulnerable displaying component. New patch-level patches are released for SAP NetWeaver 7.31 and 7.40.

Cross-Site Scripting SAP Security Notes

Despite the fact that there are only two High Priority SAP Security Notes that fix a Cross-site Scripting vulnerability, it is worth mentioning that six Medium Priority SAP Security Notes are released in this June Patch Day.

SAP Security Notes #3319400 and #3315971 were first released on May’s Patch Day and they are now updated. The first Note states that SAP Business Object 4.2 is unaffected by the vulnerability and removes this version from the list of affected ones. The case for Note #3315971 and the issue in SAP CRM is different. In this case, SAP is warning the users about the completeness of the fix and recommending r the implementation of SAP Security Note #3322800, released also on this Patch Day.

SAP Security Notes #2826092#3331627 and #3318657 fix Cross-Site Scripting vulnerability in SAP CRM Grantor Management, SAP Enterprise Portal, and Design Time Repository, respectively. SAP Note #3318657 is tagged with a CVSS score of 6.4 and the other two are tagged, with a score of 6.1. The patch for all three of them only requires updating the affected component.

Further Contribution of the Onapsis Research Labs

The Onapsis Research Labs, inclusive of June, has now provided research contributions to SAP for thirty-seven patches in 2023. This month’s contribution is related to an issue in the Transport Management System.

A standard report can be used to generate and export an arbitrary number of transport requests, each of them containing several objects and each object having several keys. Each key generates multiple lines into the corresponding log file of the transport export.

When misused, an attacker can:

  • Flood the number range for transport requests until it is full and thus no transports can be created at all
  • Fill up the disk where the transport directory is located. If a central transport directory is used for multiple system landscapes, or if the disk is part of a central file server and used for other applications, these will become unavailable too.

This issue is patched in SAP Security Note #3325642 and it consists in removing that standard report.

Summary and Conclusion

With thirteen new and updated SAP Security Notes including four High Priority Notes and no HotNews Notes, SAP’s June Patch Day is not as busy as others have been. Special attention should be paid to the re-released Note #3315971 and it’s update #3322800 to fully fix the XSS vulnerability in SAP CRM.

SAP Note

Type

Description

Priority

CVSS

3319400

Update

[CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform

EP-PIN-NAV

Medium

6,1

2826092

New

[CVE-2023-33986] Cross-Site Scripting (XSS) vulnerability in SAP CRM ABAP (Grantor Management)

CA-UI5-CTR-BAL

Medium

6,1

3318657

New

[CVE-2023-33984] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Design Time Repository)

BC-CTS-TMS-CTR

Medium

6,4

3331627

New

[CVE-2023-33985] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Enterprise Portal)

CA-UI5-COR

Medium

6,1

3325642

New

[CVE-2023-32114] Denial of Service in SAP NetWeaver (Change and Transport System)

CA-WUI-UI-TAG

Low

2,7

3326210

Update

[CVE-2023-30743] Improper Neutralization of Input in SAPUI5

BI-BIP-INV

High

7,1

3324285

New

[CVE-2023-33991] Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management)

BC-CTS-DTR

High

8,2

3322800

New

Update 1 to security note 3315971 – [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)

CA-WUI-UI-TAG

Medium

6,1

3315971

Update

[CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)

MFG-PCO-DMC

Medium

6,1

3102769

Update

[CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse

LO-MD-BP

High

8,8

3142092

Update

[CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer)

KM-KW-HTA

Medium

6,5

1794761

New

[CVE-2023-32115] SQL Injection in Master Data Synchronization (MDS COMPARE TOOL)

CRM-IPS-BTX-APL

Medium

4,2

3301942

New

[CVE-2023-2827] Missing Authentication in SAP Plant Connectivity and Production Connector for SAP Digital Manufacturing

AP-MD-BF-SYN

High

7,9

Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.

Source: Onapsis-Blog

Sie haben Fragen? Ihr Ansprechpartner für D/A/CH

Do you have any questions? Your contact person for D/A/CH

Thomas Fritsch, Onapsis

Firma zum Thema

onapsis