Skip to content
SAP security Patch day

SAP Security Patch Day – August 2023

Christoph Nagy
Managing director
August 8, 2023
7 min read
Chapters

Share Article

While many SAP security experts are enjoying well-deserved summer vacations, the consistent cadence of SAP’s security patch releases continues uninterrupted. Today is August 8th, 2023, a date you might have already marked as the designated Patch Day for August. If you find yourself tired of calendar reminders, we recommend trying out the SecurityBridge Patch Management Application. Users of the Cybersecurity Platform for SAP will receive push notifications for every patch release, ensuring that critical security patches are never overlooked.

Todays SAP Security Patch Day has seen a total number of 19 new patches and 3 updates from previous release.
As regular habit we look into the highlights of todays release. If you look for an overview of recent patch day articles, you can navigate to this page. Our experts have reviewed the patches provides and working on the update of SecurityBridge Threat Detection signatures to enable the detection of exploitation of unpatches vulnerabilities.

SAP Security Patches August 2023

Let’s delve into the details of the SAP Security Patch Day for August 2023. First off, let’s take a look at the highest-priority security patches. Within the SAP vocabulary, these are referred to as ‘Hot News,’ which encompass CVSS scores ranging from 9.1 to 10.

Starting with the Hot News

Two Hot News Security Patches are included in today’s release, one (SNote 3341460) of which is new and contains a collective fix of multiple vulnerabilities residing in the SAP PowerDesigner product, more specific in the SAP PowerDesign Proxy. The second contains an update (meanwhile in version 19) of SNote 3350297 that resolve a OS Command Injection vulnerability in SAP ECC and SAP/S4HANA (IS-OIL). This correction should only concern IS-OIL customers. The recent update contains more detailed information about prerequisites and important remarks regarding IS-OIL switches that wrongly used, can cause harm to your system.

Focus on SAP BusinessObjects, SAP Business One, SAP Message Server and SAP Commerce, with High Priority

Five main system types received high priority corrections, hence require our attention as we review the SAP Security Patches released in August ’23.

Focus on SAP BusinessObjects

The SAP BusinessObjects has been the recipient of three corrections, involving patch 3312047. This patch addresses a Denial of Service (DoS) vulnerability stemming from the utilization of a vulnerable version of Commons FileUpload within the SAP BusinessObjects Business Intelligence Platform (CMC). The patch title indicates that the SAP component has resolved a vulnerability resulting from the usage of the ‘commons-fileupload’ component, which is described in CVE-2023-24998.

Additionally, today marked the release of patch 3317710 – [CVE-2023-37490], addressing a Binary Hijack vulnerability within the SAP BusinessObjects Business Intelligence Suite (installer), which has been assigned a CVSS score of 7.6. This issue is rooted in the installer routine, potentially granting an unauthenticated attacker with network access the ability to overwrite or manipulate executables utilized during the installation process.

Our experts have identified various attack scenarios, including the potential implementation of backdoors or ransomware. It’s important to note that exploitation of this vulnerability can be challenging to detect for clients. Therefore, we strongly recommend the prompt implementation of this corrective patch.

Tagged with a priority “Medium” comes another correction for SAP BusinessObject with SNote 3312586 and a CVSS of 4.4 addressing [CVE-2023-39440] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform.

Focus on SAP Message Server

The SAP Message Server is an integral part of the ABAP Server Central Services Instance (ASCS instance). This critical component, present in all SAP installations, has received a High priority update with SNote 3344295. This update addresses an SAP vulnerability related to Improper Authorization checks. The risk associated with unpatched systems is that the Access Control List (ACL) can be bypassed under certain conditions.

There are several prerequisites that must be met, including SAP Message Server versions ranging from 7.22 to 7.77. We intentionally do not provide extensive details on this public page. Instead, the relevant information is accessible exclusively to registered SAP customers. The correction should be prioritized based on our experts’ recommendations. It’s important to note that implementing this update might require downtime. A workaround has been outlined within the note, which can help bridge the gap between the present and full implementation to mitigate the risk of exploitation.

Focus on SAP Business One

This product has received three updates, with two of them being tagged as High priority. SNote 3337797 addresses a SQL Injection vulnerability in SAP Business One (B1i Layer), mitigating CVE-2023-33993. Additionally, SNote 3358300 resolves a Cross-Site Scripting (XSS) vulnerability with a CVSS score of 7.6.

Both of these patches are straightforward and require no further explanation. While applying the patches, be sure not to overlook SNote 3333616, which has a severity level of Medium. You can find these patches on the SAP ONE Support Launchpad – Software Center.

Focus on SAP Power Designer

Next to Hot News SNote 3341460 which contains a collective fix of multiple vulnerabilities residing in the SAP PowerDesigner product, also the SNote 3341599 which High priority has been released to resolve a Code Injection vulnerability in SAP PowerDesigner.

And more, Affected System Types

While you can find the summary sorted by severity in the list below, in this section we provide structured insight in which system types have received a security update. Following our experts analysis we find correction for the SAP ABAP and ABAP Platform (5), SAP Business One (3), SAP Business Objects (3), SAP Commerce & Commerce Cloud (2), SAP Host Agent (1), SAP Message Server (1), SAP PowerDesigner(2), SAP PI (1) and SAPUI5 (1).

Overall a rather wide scope of affected system types have received a security update in the SAP Security Patch Day of this month. For customers this could means additional effort since the various components can not be patched following the same procedure. 

Summary by Severity

The August release contains a total of 19 patches for the following severities:

Severity Number
Hot News
2
High
7
Medium
8
Low
2
Note Description Severity CVSS
3341460 [CVE-2023-37483] Multiple Vulnerabilities in SAP PowerDesigner
Priority: HotNews
Released on: 08.08.2023
Components: BC-SYB-PD
Category: Program error
Hot News 9.8
3350297 [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL)
Priority: HotNews
Released on: 25.07.2023
Components: IS-OIL-DS-HPM
Category: Program error
Hot News 9.1
3346500 [CVE-2023-39439] Improper authentication in SAP Commerce Cloud
Priority: Correction with high priority
Released on: 08.08.2023
Components: CEC-SCC-PLA-PL
Category: Program error
High 8.8
3341599 [CVE-2023-36923] Code Injection vulnerability in SAP PowerDesigner
Priority: Correction with high priority
Released on: 08.08.2023
Components: BC-SYB-PD
Category: Program error
High 7.8
3358300 [CVE-2023-39437] Cross-Site Scripting (XSS) vulnerability in SAP Business One
Priority: Correction with high priority
Released on: 08.08.2023
Components: SBO-CRO-SEC
Category: Program error
High 7.6
3317710 [CVE-2023-37490] Binary hijack in SAP BusinessObjects Business Intelligence Suite (installer)
Priority: Correction with high priority
Released on: 08.08.2023
Components: BI-BIP-INS
Category: Program error
High 7.6
3312047 Denial of Service (DoS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP BusinessObjects Business Intelligence Platform (CMC)
Priority: Correction with high priority
Released on: 08.08.2023
Components: BI-BIP-CMC
Category: Program error
High 7.5
3344295 [CVE-2023-37491] Improper Authorization check vulnerability in SAP Message Server
Priority: Correction with high priority
Released on: 08.08.2023
Components: BC-CST-MS
Category: Program error
High 7.5
3337797 [CVE-2023-33993] SQL Injection vulnerability in SAP Business One (B1i Layer)
Priority: Correction with high priority
Released on: 08.08.2023
Components: SBO-CRO-SEC
Category: Program error
High 7.1
2032723 Switchable authorization checks for RFC in SRM
Priority: Correction with medium priority
Released on: 11.11.2014
Components: SRM-EBP-INT
Category: Program error
Medium 6.3
3350494 [CVE-2023-37488] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Process Integration
Priority: Correction with medium priority
Released on: 08.08.2023
Components: BC-XI-IBF-WU
Category: Program error
Medium 6.1
3149794 Cross-Site Scripting (XSS) vulnerabilities in jQuery-UI library bundled with SAPUI5
Priority: Correction with medium priority
Released on: 08.08.2023
Components: CA-UI5-COR
Category: Program error
Medium 6.1
3341934 [CVE-2023-37486] Information Disclosure vulnerability in SAP Commerce (OCC API)
Priority: Correction with medium priority
Released on: 08.08.2023
Components: CEC-SCC-COM-BC-OCC
Category: Program error
Medium 5.9
2067220 [CVE-2023-39436] Information Disclosure in SAP Supplier Relationship Management
Priority: Correction with medium priority
Released on: 08.08.2023
Components: SRM-EBP-ADM-XBP
Category: Program error
Medium 5.8
3333616 [CVE-2023-37487] Security Misconfiguration vulnerability in SAP Business One (Service Layer)
Priority: Correction with medium priority
Released on: 08.08.2023
Components: SBO-CRO-SEC
Category: Program error
Medium 5.3
3348000 [CVE-2023-37492] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 08.08.2023
Components: BC-CCM-CNF-PFL
Category: Program error
Medium 4.9
3312586 [CVE-2023-39440] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform
Priority: Correction with medium priority
Released on: 08.08.2023
Components: BI-RA-WBI
Category: Program error
Medium 4.4
3358328 [CVE-2023-36926] Information disclosure vulnerability in SAP Host Agent
Priority: Correction with low priority
Released on: 08.08.2023
Components: BC-CCM-HAG
Category: Consulting
Low 3.7
3156972 URL Redirection vulnerability in SAP S/4HANA (Managed Catalogue Item and Catalogue search)
Priority: Correction with low priority
Released on: 08.08.2023
Components: MM-FIO-PUR-REQ-SSP
Category: Program error
Low 3.5