SAP Security Patch Day – August 2023
Chapters
Share Article
While many SAP security experts are enjoying well-deserved summer vacations, the consistent cadence of SAP’s security patch releases continues uninterrupted. Today is August 8th, 2023, a date you might have already marked as the designated Patch Day for August. If you find yourself tired of calendar reminders, we recommend trying out the SecurityBridge Patch Management Application. Users of the Cybersecurity Platform for SAP will receive push notifications for every patch release, ensuring that critical security patches are never overlooked.
Todays SAP Security Patch Day has seen a total number of 19 new patches and 3 updates from previous release.
As regular habit we look into the highlights of todays release. If you look for an overview of recent patch day articles, you can navigate to this page. Our experts have reviewed the patches provides and working on the update of SecurityBridge Threat Detection signatures to enable the detection of exploitation of unpatches vulnerabilities.
SAP Security Patches August 2023
Let’s delve into the details of the SAP Security Patch Day for August 2023. First off, let’s take a look at the highest-priority security patches. Within the SAP vocabulary, these are referred to as ‘Hot News,’ which encompass CVSS scores ranging from 9.1 to 10.
Starting with the Hot News
Two Hot News Security Patches are included in today’s release, one (SNote 3341460) of which is new and contains a collective fix of multiple vulnerabilities residing in the SAP PowerDesigner product, more specific in the SAP PowerDesign Proxy. The second contains an update (meanwhile in version 19) of SNote 3350297 that resolve a OS Command Injection vulnerability in SAP ECC and SAP/S4HANA (IS-OIL). This correction should only concern IS-OIL customers. The recent update contains more detailed information about prerequisites and important remarks regarding IS-OIL switches that wrongly used, can cause harm to your system.
Focus on SAP BusinessObjects, SAP Business One, SAP Message Server and SAP Commerce, with High Priority
Five main system types received high priority corrections, hence require our attention as we review the SAP Security Patches released in August ’23.
Focus on SAP BusinessObjects
The SAP BusinessObjects has been the recipient of three corrections, involving patch 3312047. This patch addresses a Denial of Service (DoS) vulnerability stemming from the utilization of a vulnerable version of Commons FileUpload within the SAP BusinessObjects Business Intelligence Platform (CMC). The patch title indicates that the SAP component has resolved a vulnerability resulting from the usage of the ‘commons-fileupload’ component, which is described in CVE-2023-24998.
Additionally, today marked the release of patch 3317710 – [CVE-2023-37490], addressing a Binary Hijack vulnerability within the SAP BusinessObjects Business Intelligence Suite (installer), which has been assigned a CVSS score of 7.6. This issue is rooted in the installer routine, potentially granting an unauthenticated attacker with network access the ability to overwrite or manipulate executables utilized during the installation process.
Our experts have identified various attack scenarios, including the potential implementation of backdoors or ransomware. It’s important to note that exploitation of this vulnerability can be challenging to detect for clients. Therefore, we strongly recommend the prompt implementation of this corrective patch.
Tagged with a priority “Medium” comes another correction for SAP BusinessObject with SNote 3312586 and a CVSS of 4.4 addressing [CVE-2023-39440] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform.
Focus on SAP Message Server
The SAP Message Server is an integral part of the ABAP Server Central Services Instance (ASCS instance). This critical component, present in all SAP installations, has received a High priority update with SNote 3344295. This update addresses an SAP vulnerability related to Improper Authorization checks. The risk associated with unpatched systems is that the Access Control List (ACL) can be bypassed under certain conditions.
There are several prerequisites that must be met, including SAP Message Server versions ranging from 7.22 to 7.77. We intentionally do not provide extensive details on this public page. Instead, the relevant information is accessible exclusively to registered SAP customers. The correction should be prioritized based on our experts’ recommendations. It’s important to note that implementing this update might require downtime. A workaround has been outlined within the note, which can help bridge the gap between the present and full implementation to mitigate the risk of exploitation.
Focus on SAP Business One
This product has received three updates, with two of them being tagged as High priority. SNote 3337797 addresses a SQL Injection vulnerability in SAP Business One (B1i Layer), mitigating CVE-2023-33993. Additionally, SNote 3358300 resolves a Cross-Site Scripting (XSS) vulnerability with a CVSS score of 7.6.
Both of these patches are straightforward and require no further explanation. While applying the patches, be sure not to overlook SNote 3333616, which has a severity level of Medium. You can find these patches on the SAP ONE Support Launchpad – Software Center.
Focus on SAP Power Designer
And more, Affected System Types
While you can find the summary sorted by severity in the list below, in this section we provide structured insight in which system types have received a security update. Following our experts analysis we find correction for the SAP ABAP and ABAP Platform (5), SAP Business One (3), SAP Business Objects (3), SAP Commerce & Commerce Cloud (2), SAP Host Agent (1), SAP Message Server (1), SAP PowerDesigner(2), SAP PI (1) and SAPUI5 (1).
Overall a rather wide scope of affected system types have received a security update in the SAP Security Patch Day of this month. For customers this could means additional effort since the various components can not be patched following the same procedure.
Summary by Severity
The August release contains a total of 19 patches for the following severities:
| Severity | Number |
Hot News
|
2 |
|---|---|
|
High
|
7 |
|
Medium
|
8 |
|
Low
|
2 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3341460 | [CVE-2023-37483] Multiple Vulnerabilities in SAP PowerDesigner Priority: HotNews Released on: 08.08.2023 Components: BC-SYB-PD Category: Program error |
Hot News | 9.8 |
| 3350297 | [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) Priority: HotNews Released on: 25.07.2023 Components: IS-OIL-DS-HPM Category: Program error |
Hot News | 9.1 |
| 3346500 | [CVE-2023-39439] Improper authentication in SAP Commerce Cloud Priority: Correction with high priority Released on: 08.08.2023 Components: CEC-SCC-PLA-PL Category: Program error |
High | 8.8 |
| 3341599 | [CVE-2023-36923] Code Injection vulnerability in SAP PowerDesigner Priority: Correction with high priority Released on: 08.08.2023 Components: BC-SYB-PD Category: Program error |
High | 7.8 |
| 3358300 | [CVE-2023-39437] Cross-Site Scripting (XSS) vulnerability in SAP Business One Priority: Correction with high priority Released on: 08.08.2023 Components: SBO-CRO-SEC Category: Program error |
High | 7.6 |
| 3317710 | [CVE-2023-37490] Binary hijack in SAP BusinessObjects Business Intelligence Suite (installer) Priority: Correction with high priority Released on: 08.08.2023 Components: BI-BIP-INS Category: Program error |
High | 7.6 |
| 3312047 | Denial of Service (DoS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP
BusinessObjects Business Intelligence Platform (CMC) Priority: Correction with high priority Released on: 08.08.2023 Components: BI-BIP-CMC Category: Program error |
High | 7.5 |
| 3344295 | [CVE-2023-37491] Improper Authorization check vulnerability in SAP Message Server Priority: Correction with high priority Released on: 08.08.2023 Components: BC-CST-MS Category: Program error |
High | 7.5 |
| 3337797 | [CVE-2023-33993] SQL Injection vulnerability in SAP Business One (B1i Layer) Priority: Correction with high priority Released on: 08.08.2023 Components: SBO-CRO-SEC Category: Program error |
High | 7.1 |
| 2032723 | Switchable authorization checks for RFC in SRM Priority: Correction with medium priority Released on: 11.11.2014 Components: SRM-EBP-INT Category: Program error |
Medium | 6.3 |
| 3350494 | [CVE-2023-37488] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Process Integration Priority: Correction with medium priority Released on: 08.08.2023 Components: BC-XI-IBF-WU Category: Program error |
Medium | 6.1 |
| 3149794 | Cross-Site Scripting (XSS) vulnerabilities in jQuery-UI library bundled with SAPUI5 Priority: Correction with medium priority Released on: 08.08.2023 Components: CA-UI5-COR Category: Program error |
Medium | 6.1 |
| 3341934 | [CVE-2023-37486] Information Disclosure vulnerability in SAP Commerce (OCC API) Priority: Correction with medium priority Released on: 08.08.2023 Components: CEC-SCC-COM-BC-OCC Category: Program error |
Medium | 5.9 |
| 2067220 | [CVE-2023-39436] Information Disclosure in SAP Supplier Relationship Management Priority: Correction with medium priority Released on: 08.08.2023 Components: SRM-EBP-ADM-XBP Category: Program error |
Medium | 5.8 |
| 3333616 | [CVE-2023-37487] Security Misconfiguration vulnerability in SAP Business One (Service Layer) Priority: Correction with medium priority Released on: 08.08.2023 Components: SBO-CRO-SEC Category: Program error |
Medium | 5.3 |
| 3348000 | [CVE-2023-37492] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform Priority: Correction with medium priority Released on: 08.08.2023 Components: BC-CCM-CNF-PFL Category: Program error |
Medium | 4.9 |
| 3312586 | [CVE-2023-39440] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence
Platform Priority: Correction with medium priority Released on: 08.08.2023 Components: BI-RA-WBI Category: Program error |
Medium | 4.4 |
| 3358328 | [CVE-2023-36926] Information disclosure vulnerability in SAP Host Agent Priority: Correction with low priority Released on: 08.08.2023 Components: BC-CCM-HAG Category: Consulting |
Low | 3.7 |
| 3156972 | URL Redirection vulnerability in SAP S/4HANA (Managed Catalogue Item and Catalogue search) Priority: Correction with low priority Released on: 08.08.2023 Components: MM-FIO-PUR-REQ-SSP Category: Program error |
Low | 3.5 |