SAP Security Patch Day – December 2023
Chapters
Share Article
On this last SAP Security Patch Day of 2023, another set of Security Patches has been released. Previous releases contained a relatively low number of patches, but this month, 17 notes have been released that are either new or have been updated. The so-called ‘HotNews’ notes have the highest priority but keep in mind that all patches should be carefully analyzed and implemented accordingly. Patch management plays a vital role in keeping SAP landscapes safe! So don’t get into ‘holiday mode’ just yet and let’s look at some interesting points of this month’s release.
The SecurityBridge Patch Management solution helps to gain insight on and manage the implementation of missing patches across the SAP landscape. With its granular presentation of relevant details and implementation support, it is an essential toolkit to manage patches effectively. Newly released security patches from SAP are seamlessly integrated.
SAP Security Patches December 2023
For December 2023, 3 ‘HotNews’ notes are mentioned that we will look into a bit further. In SAP terms, ‘HotNews’ refers to CVSS scores from 9.1 to 10.
Note that SAP note 2622660 is frequently updated for new updates on Google Chromium delivered with SAP Business Client. This month, the actual updates concern a CVSS rating of ‘8.8’.
HotNews update for IS-OIL – discovered by SecurityBridge
Perhaps you remember SAP note 3350297 from the July release earlier this year. It concerns an OS command injection vulnerability that can give extensive control to an attacker for the IS-OIL solution. The note was first released on July’s patch day but then it became clear that importing the note on non-IS-OIL systems could do serious harm which is why the note description was updated accordingly.
Meanwhile the SecurityBridge research team has discovered that the solution from note 3350297 is incomplete and leaves customers vulnerable which is why SAP has released a new HotNews note 3399691 to resolve that. For customers that use IS-OIL, analyse this update to stay safe. Refer to FAQ note 3349318 for further details.
SAP BTP Security Services Integration Libraries
SAP note 3411067 reports possible escalation of privileges when using SAP BTP Security Services Integration Libraries. The CVSS rating is ’9.1’ and concerns multiple libraries for Node.js, Java, Python and Golang. There is no workaround and so patching and thorough testing is required for the mentioned libraries and programming infrastructures.
Other security notes
Apart from the ‘HotNews’ notes, see below highlights of notes that require additional steps or other actions.
- Note 3159329 : requires on update of a SAPUI5 library. Note the update procedure mentioned in note 3155948.
- Note 3363690: vulnerability on SAP Master Data Governance. Note the required additional steps to consume the fix mentioned in the note.
- Note 3394567: after applying the patch, a re-build and re-deploy of the updated SAP Commerce Cloud version is required.
SAP Security Notes December 2023
Summary by Severity
The December release contains a total of 17 patches for the following severities:
Severity | Number | Hot News | 4 |
---|---|
High | 4 |
Medium | 7 |
Low | 2 |
Note | Description | Severity | CVSS |
---|---|---|---|
2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client Priority: HotNews Released on: 10.04.2018 Components: BC-FES-BUS-DSK Category: Program error | Hot News | 10.0 |
3411067 | [Multiple CVEs] Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries Priority: HotNews Released on: 12.12.2023 Components: BC-CP-CF-SEC-LIB Category: Program error | Hot News | 9.1 |
3399691 | Update 1 to 3350297 - [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) Priority: HotNews Released on: 12.12.2023 Components: IS-OIL-DS-HPM Category: Program error | Hot News | 9.1 |
3350297 | [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) Priority: HotNews Released on: 11.07.2023 Components: IS-OIL-DS-HPM Category: Program error | Hot News | 9.1 |
3394567 | [CVE-2023-42481] Improper Access Control vulnerability in SAP Commerce Cloud Priority: Correction with high priority Released on: 12.12.2023 Components: CEC-COM-CPS Category: Program error | High | 8.1 |
3382353 | [CVE-2023-42478] Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform Priority: Correction with high priority Released on: 12.12.2023 Components: BI-BIP-ADM Category: Program error | High | 7.5 |
3385711 | [CVE-2023-49580] Information disclosure vulnerability in SAP GUI for WIndows and SAP GUI for Java Priority: Correction with high priority Released on: 12.12.2023 Components: BC-FES-GUI Category: Program error | High | 7.3 |
3406244 | [CVE-2023-6542] Missing Authorization Check in SAP EMARSYS SDK ANDROID Priority: Correction with high priority Released on: 12.12.2023 Components: CEC-EMA Category: Program error | High | 7.1 |
3369353 | [CVE-2023-42476] Cross Site Scripting vulnerability in SAP BusinessObjects Web Intelligence Priority: Correction with medium priority Released on: 12.12.2023 Components: BI-RA-WBI-FE Category: Program error | Medium | 6.8 |
3395306 | [CVE-2023-49587] Command Injection vulnerability in SAP Solution Manager Priority: Correction with medium priority Released on: 12.12.2023 Components: SV-SMG-IMP Category: Program error | Medium | 6.4 |
3383321 | [CVE-2023-42479] Cross-Site Scripting (XSS) vulnerability in SAP Biller Direct Priority: Correction with medium priority Released on: 12.12.2023 Components: FIN-FSCM-BD Category: Program error | Medium | 6.1 |
3217087 | [CVE-2023-49577] Cross-Site Scripting (XSS) vulnerability in the SAP HCM (SMART PAYE solution) Priority: Correction with medium priority Released on: 12.12.2023 Components: PY-IE Category: Program error | Medium | 6.1 |
3159329 | Denial of service (DoS) vulnerability in JSZip library bundled within SAPUI5 Priority: Correction with medium priority Released on: 12.12.2023 Components: CA-UI5-COR-FND Category: Program error | Medium | 5.3 |
3406786 | [CVE-2023-49584] Client-Side Desynchronization vulnerability in SAP Fiori Launchpad Priority: Correction with medium priority Released on: 12.12.2023 Components: CA-FLP-ABA Category: Program error | Medium | 4.3 |
3392547 | [CVE-2023-49581] SQL Injection vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Priority: Correction with medium priority Released on: 12.12.2023 Components: BC-CCM-MON-ORA Category: Program error | Medium | 4.1 |
3363690 | [CVE-2023-49058] Directory Traversal vulnerability in SAP Master Data Governance Priority: Correction with low priority Released on: 12.12.2023 Components: CA-MDG-ML Category: Program error | Low | 3.5 |
3362463 | [CVE-2023-49578] Denial of service (DOS) in SAP Cloud Connector Priority: Correction with low priority Released on: 12.12.2023 Components: BC-MID-SCC Category: Program error | Low | 3.5 |