Skip to content
SAP security Patch day

SAP Security Patch Day – July 2023

Christoph Nagy
Managing director
July 11, 2023
5 min read
Chapters

Share Article

Today is July 11th, the 192nd day of 2023, and it’s SAP Security Patch Day! While all security-conscious SAP customers should already be aware of this, the leading vendor for enterprise applications releases security updates for its extensive product portfolio every second Tuesday of the month. SAP’s Response Team has released 17 security updates (containing 2 updates from previous releases), including two with Hot News Priority and several High Priority patches.

Let’s delve into the key highlights of the July SAP Security Patch Day as there is substantial work to be done. Ensuring the resilience of your SAP system against cyber threats necessitates diligent Patch Management, which should never be overlooked.

SAP customers need to invest a significant amount of time in identifying the relevant patches that apply to the product components used by their organizations. This effort is multiplied every month on SAP Security Patch Day. If this backlog is not addressed, it will continue to grow, increasing the risk of exploitation at the same time.

SAP Security Patches July 2023

Today, we will not begin with the SNotes of the highest priority because our team of experts has identified three major areas that require emphasis on this SAP Security Patch Day.

SAP Web Dispatcher Security

Firstly, we recommend focusing on the SAP WebDispatcher, as it is a critical component in many architectures with a public-facing connection. It is essential to validate SNote 3233899, which addresses the issues of request smuggling and request concatenation vulnerabilities in SAP Web Dispatcher. Additionally, SNote 3340735 has been released to address a memory corruption vulnerability in SAP Web Dispatcher.

SAP Industry Solutions Security

The second area of attention focuses on the ABAP-Stack of specific Industry solutions, which may not be a priority for the majority of SAP customers, especially if they are not using those particular SAP Industry solutions.

SNote 3350297 (Hot News) addresses an OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL). This vulnerability allows an authenticated attacker to inject arbitrary operating system commands through the IS-OIL component of SAP ECC and SAP S/4HANA.
Another vulnerability, a Log Injection vulnerability in SAP ERP Defense Forces and Public Security, has been fixed in SNote 3351410. Although the patch carries a CVSS score of “only” 4.9, given the current geopolitical tensions, it would be wise to prioritize it. Many attacks rely on exploiting multiple unpatched vulnerabilities in a chain, allowing the attacker to achieve their goals.

SAP Solution Manager Security

Lastly, but equally important, we would like to draw your attention to the SAP Solution Manager vulnerabilities that have been addressed in the current SAP Security Patch Day of July 2023. The SAP Solution Manager is one of the most critical components in every SAP customer’s architecture, and it serves as an entry point for threat actors. Despite being an often overlooked component in the SAP product family, the risk exposure should not be underestimated.

In this regard, it is essential to review SNote 3352058 (CVSS 7.2), which addresses an Unauthenticated Blind SSRF vulnerability in Solution Manager (Diagnostic Agent). Additionally, SNote 3348145 (CVSS 7.2) fixes a Header Injection vulnerability in SAP Solution Manager (Diagnostic Agent).

Summary by Severity

The July release contains a total of 17 patches for the following severities:

Severity Number
Hot News
2
High
6
Medium
9
Note Description Severity CVSS
2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client
Priority: HotNews
Released on: 10.04.2018
Components: BC-FES-BUS-DSK
Category: Program error
Hot News 10.0
3350297 [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL)
Priority: HotNews
Released on: 11.07.2023
Components: IS-OIL-DS-HPM
Category: Program error
Hot News 9.1
3331376 [CVE-2023-33989] Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON)
Priority: Correction with high priority
Released on: 11.07.2023
Components: BW-BCT-GEN
Category: Program error
High 8.7
3233899 [CVE-2023-33987] Request smuggling and request concatenation vulnerability in SAP Web Dispatcher
Priority: Correction with high priority
Released on: 11.07.2023
Components: BC-CST-WDP
Category: Program error
High 8.6
3331029 [CVE-2023-33990] Denial of service (DOS) vulnerability in SAP SQL Anywhere
Priority: Correction with high priority
Released on: 11.07.2023
Components: BC-SYB-SQA-SRV
Category: Program error
High 7.8
3340735 [CVE-2023-35871] Memory Corruption vulnerability in SAP Web Dispatcher
Priority: Correction with high priority
Released on: 11.07.2023
Components: BC-CST-WDP
Category: Program error
High 7.7
3352058 [CVE-2023-36925] Unauthenticated blind SSRF in SAP Solution Manager (Diagnostics agent)
Priority: Correction with high priority
Released on: 11.07.2023
Components: SV-SMG-DIA-SRV-AGT
Category: Program error
High 7.2
3348145 [CVE-2023-36921] Header Injection in SAP Solution Manager (Diagnostic Agent)
Priority: Correction with high priority
Released on: 11.07.2023
Components: SV-SMG-DIA-SRV-AGT
Category: Program error
High 7.2
3343547 [CVE-2023-35873] Missing Authentication check in SAP NetWeaver Process Integration (Runtime Workbench)
Priority: Correction with medium priority
Released on: 11.07.2023
Components: BC-XI-IS-WKB
Category: Program error
Medium 6.5
3343564 [CVE-2023-35872] Missing Authentication check in SAP NetWeaver Process Integration (Message Display Tool)
Priority: Correction with medium priority
Released on: 11.07.2023
Components: BC-XI-IS-WKB
Category: Program error
Medium 6.5
3341211 [CVE-2023-35870] Improper Access Control in SAP S/4HANA (Manage Journal Entry Template)
Priority: Correction with medium priority
Released on: 11.07.2023
Components: FI-FIO-GL-TRA
Category: Program error
Medium 6.3
3326769 [Multiple CVEs] Multiple Vulnerabilities in SAP Enable Now
Priority: Correction with medium priority
Released on: 11.07.2023
Components: KM-SEN-MGR
Category: Program error
Medium 6.1
3318850 [CVE-2023-35874] Improper authentication vulnerability in SAP NetWeaver AS ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 11.07.2023
Components: BC-MID-RFC
Category: Program error
Medium 6.0
3320702 [CVE-2023-36917] Password Change rate limit bypass in SAP BusinessObjects Business Intelligence Platform
Priority: Correction with medium priority
Released on: 11.07.2023
Components: BI-BIP-SRV
Category: Program error
Medium 5.9
3324732 [CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer)
Priority: Correction with medium priority
Released on: 11.07.2023
Components: BC-JAS-SEC
Category: Program error
Medium 5.3
3351410 [CVE-2023-36924] Log Injection vulnerability in SAP ERP Defense Forces and Public Security
Priority: Correction with medium priority
Released on: 11.07.2023
Components: IS-DFS-BIT-DIS
Category: Program error
Medium 4.9
3088078 [CVE-2023-33992] Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA
Priority: Correction with medium priority
Released on: 11.07.2023
Components: BW-BEX-OT-BICS-PROV
Category: Program error
Medium 4.5