SAP Security Patch Day – July 2023
Chapters
Share Article
Today is July 11th, the 192nd day of 2023, and it’s SAP Security Patch Day! While all security-conscious SAP customers should already be aware of this, the leading vendor for enterprise applications releases security updates for its extensive product portfolio every second Tuesday of the month. SAP’s Response Team has released 17 security updates (containing 2 updates from previous releases), including two with Hot News Priority and several High Priority patches.
Let’s delve into the key highlights of the July SAP Security Patch Day as there is substantial work to be done. Ensuring the resilience of your SAP system against cyber threats necessitates diligent Patch Management, which should never be overlooked.
SAP customers need to invest a significant amount of time in identifying the relevant patches that apply to the product components used by their organizations. This effort is multiplied every month on SAP Security Patch Day. If this backlog is not addressed, it will continue to grow, increasing the risk of exploitation at the same time.
SAP Security Patches July 2023
Today, we will not begin with the SNotes of the highest priority because our team of experts has identified three major areas that require emphasis on this SAP Security Patch Day.
SAP Web Dispatcher Security
Firstly, we recommend focusing on the SAP WebDispatcher, as it is a critical component in many architectures with a public-facing connection. It is essential to validate SNote 3233899, which addresses the issues of request smuggling and request concatenation vulnerabilities in SAP Web Dispatcher. Additionally, SNote 3340735 has been released to address a memory corruption vulnerability in SAP Web Dispatcher.
SAP Industry Solutions Security
The second area of attention focuses on the ABAP-Stack of specific Industry solutions, which may not be a priority for the majority of SAP customers, especially if they are not using those particular SAP Industry solutions.
SNote 3350297 (Hot News) addresses an OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL). This vulnerability allows an authenticated attacker to inject arbitrary operating system commands through the IS-OIL component of SAP ECC and SAP S/4HANA.
Another vulnerability, a Log Injection vulnerability in SAP ERP Defense Forces and Public Security, has been fixed in SNote 3351410. Although the patch carries a CVSS score of “only” 4.9, given the current geopolitical tensions, it would be wise to prioritize it. Many attacks rely on exploiting multiple unpatched vulnerabilities in a chain, allowing the attacker to achieve their goals.
SAP Solution Manager Security
Lastly, but equally important, we would like to draw your attention to the SAP Solution Manager vulnerabilities that have been addressed in the current SAP Security Patch Day of July 2023. The SAP Solution Manager is one of the most critical components in every SAP customer’s architecture, and it serves as an entry point for threat actors. Despite being an often overlooked component in the SAP product family, the risk exposure should not be underestimated.
In this regard, it is essential to review SNote 3352058 (CVSS 7.2), which addresses an Unauthenticated Blind SSRF vulnerability in Solution Manager (Diagnostic Agent). Additionally, SNote 3348145 (CVSS 7.2) fixes a Header Injection vulnerability in SAP Solution Manager (Diagnostic Agent).
Summary by Severity
The July release contains a total of 17 patches for the following severities:
| Severity | Number |
Hot News
|
2 |
|---|---|
|
High
|
6 |
|
Medium
|
9 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client Priority: HotNews Released on: 10.04.2018 Components: BC-FES-BUS-DSK Category: Program error |
Hot News | 10.0 |
| 3350297 | [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) Priority: HotNews Released on: 11.07.2023 Components: IS-OIL-DS-HPM Category: Program error |
Hot News | 9.1 |
| 3331376 | [CVE-2023-33989] Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON) Priority: Correction with high priority Released on: 11.07.2023 Components: BW-BCT-GEN Category: Program error |
High | 8.7 |
| 3233899 | [CVE-2023-33987] Request smuggling and request concatenation vulnerability in SAP Web
Dispatcher Priority: Correction with high priority Released on: 11.07.2023 Components: BC-CST-WDP Category: Program error |
High | 8.6 |
| 3331029 | [CVE-2023-33990] Denial of service (DOS) vulnerability in SAP SQL Anywhere Priority: Correction with high priority Released on: 11.07.2023 Components: BC-SYB-SQA-SRV Category: Program error |
High | 7.8 |
| 3340735 | [CVE-2023-35871] Memory Corruption vulnerability in SAP Web Dispatcher Priority: Correction with high priority Released on: 11.07.2023 Components: BC-CST-WDP Category: Program error |
High | 7.7 |
| 3352058 | [CVE-2023-36925] Unauthenticated blind SSRF in SAP Solution Manager (Diagnostics agent) Priority: Correction with high priority Released on: 11.07.2023 Components: SV-SMG-DIA-SRV-AGT Category: Program error |
High | 7.2 |
| 3348145 | [CVE-2023-36921] Header Injection in SAP Solution Manager (Diagnostic Agent) Priority: Correction with high priority Released on: 11.07.2023 Components: SV-SMG-DIA-SRV-AGT Category: Program error |
High | 7.2 |
| 3343547 | [CVE-2023-35873] Missing Authentication check in SAP NetWeaver Process Integration (Runtime
Workbench) Priority: Correction with medium priority Released on: 11.07.2023 Components: BC-XI-IS-WKB Category: Program error |
Medium | 6.5 |
| 3343564 | [CVE-2023-35872] Missing Authentication check in SAP NetWeaver Process Integration (Message Display
Tool) Priority: Correction with medium priority Released on: 11.07.2023 Components: BC-XI-IS-WKB Category: Program error |
Medium | 6.5 |
| 3341211 | [CVE-2023-35870] Improper Access Control in SAP S/4HANA (Manage Journal Entry Template) Priority: Correction with medium priority Released on: 11.07.2023 Components: FI-FIO-GL-TRA Category: Program error |
Medium | 6.3 |
| 3326769 | [Multiple CVEs] Multiple Vulnerabilities in SAP Enable Now Priority: Correction with medium priority Released on: 11.07.2023 Components: KM-SEN-MGR Category: Program error |
Medium | 6.1 |
| 3318850 | [CVE-2023-35874] Improper authentication vulnerability in SAP NetWeaver AS ABAP and ABAP
Platform Priority: Correction with medium priority Released on: 11.07.2023 Components: BC-MID-RFC Category: Program error |
Medium | 6.0 |
| 3320702 | [CVE-2023-36917] Password Change rate limit bypass in SAP BusinessObjects Business Intelligence
Platform Priority: Correction with medium priority Released on: 11.07.2023 Components: BI-BIP-SRV Category: Program error |
Medium | 5.9 |
| 3324732 | [CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer) Priority: Correction with medium priority Released on: 11.07.2023 Components: BC-JAS-SEC Category: Program error |
Medium | 5.3 |
| 3351410 | [CVE-2023-36924] Log Injection vulnerability in SAP ERP Defense Forces and Public Security Priority: Correction with medium priority Released on: 11.07.2023 Components: IS-DFS-BIT-DIS Category: Program error |
Medium | 4.9 |
| 3088078 | [CVE-2023-33992] Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA Priority: Correction with medium priority Released on: 11.07.2023 Components: BW-BEX-OT-BICS-PROV Category: Program error |
Medium | 4.5 |