Skip to content

SAP Security Patch Day – December 2023

SAP security Patch day

Posted by

Gert-Jan Koster

Find recent Security Advisories for SAP©

On this last SAP Security Patch Day of 2023, another set of Security Patches has been released. Previous releases contained a relatively low number of patches, but this month, 17 notes have been released that are either new or have been updated. The so-called ‘HotNews’ notes have the highest priority but keep in mind that all patches should be carefully analyzed and implemented accordingly. Patch management plays a vital role in keeping SAP landscapes safe! So don’t get into ‘holiday mode’ just yet and let’s look at some interesting points of this month’s release.

The SecurityBridge Patch Management solution helps to gain insight on and manage the implementation of missing patches across the SAP landscape. With its granular presentation of relevant details and implementation support, it is an essential toolkit to manage patches effectively. Newly released security patches from SAP are seamlessly integrated.

SAP Security Patches December 2023

For December 2023, 3 ‘HotNews’ notes are mentioned that we will look into a bit further. In SAP terms, ‘HotNews’ refers to CVSS scores from 9.1 to 10. 

Note that SAP note 2622660 is frequently updated for new updates on Google Chromium delivered with SAP Business Client. This month, the actual updates concern a CVSS rating of ‘8.8’. 

HotNews update for IS-OIL - discovered by SecurityBridge

Perhaps you remember SAP note 3350297 from the July release earlier this year. It concerns an OS command injection vulnerability that can give extensive control to an attacker for the IS-OIL solution. The note was first released on July’s patch day but then it became clear that importing the note on non-IS-OIL systems could do serious harm which is why the note description was updated accordingly.

Meanwhile the SecurityBridge research team has discovered that the solution from note 3350297 is incomplete and leaves customers vulnerable which is why SAP has released a new HotNews note 3399691 to resolve that. For customers that use IS-OIL, analyse this update to stay safe. Refer to FAQ note 3349318 for further details.

SAP BTP Security Services Integration Libraries

SAP note 3411067 reports possible escalation of privileges when using SAP BTP Security Services Integration Libraries. The CVSS rating is ’9.1’ and concerns multiple libraries for Node.js, Java, Python and Golang. There is no workaround and so patching and thorough testing is required for the mentioned libraries and programming infrastructures.

Other security notes

Apart from the ‘HotNews’ notes, see below highlights of notes that require additional steps or other actions. 

  • Note 3159329 : requires on update of a SAPUI5 library. Note the update procedure mentioned in note 3155948.
  • Note 3363690: vulnerability on SAP Master Data Governance. Note the required additional steps to consume the fix mentioned in the note.
  • Note 3394567:  after applying the patch, a re-build and re-deploy of the updated SAP Commerce Cloud version is required.
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

SAP Security Notes December 2023

Summary by Severity

The December release contains a total of 17 patches for the following severities:

SeverityNumber
Hot News
4
High
4
Medium
7
Low
2
NoteDescriptionSeverityCVSS
2622660Security updates for the browser control Google Chromium delivered with SAP Business Client
Priority: HotNews
Released on: 10.04.2018
Components: BC-FES-BUS-DSK
Category: Program error
Hot News10.0
3411067[Multiple CVEs] Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries
Priority: HotNews
Released on: 12.12.2023
Components: BC-CP-CF-SEC-LIB
Category: Program error
Hot News9.1
3399691Update 1 to 3350297 - [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL)
Priority: HotNews
Released on: 12.12.2023
Components: IS-OIL-DS-HPM
Category: Program error
Hot News9.1
3350297[CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL)
Priority: HotNews
Released on: 11.07.2023
Components: IS-OIL-DS-HPM
Category: Program error
Hot News9.1
3394567[CVE-2023-42481] Improper Access Control vulnerability in SAP Commerce Cloud
Priority: Correction with high priority
Released on: 12.12.2023
Components: CEC-COM-CPS
Category: Program error
High8.1
3382353[CVE-2023-42478] Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform
Priority: Correction with high priority
Released on: 12.12.2023
Components: BI-BIP-ADM
Category: Program error
High7.5
3385711[CVE-2023-49580] Information disclosure vulnerability in SAP GUI for WIndows and SAP GUI for Java
Priority: Correction with high priority
Released on: 12.12.2023
Components: BC-FES-GUI
Category: Program error
High7.3
3406244[CVE-2023-6542] Missing Authorization Check in SAP EMARSYS SDK ANDROID
Priority: Correction with high priority
Released on: 12.12.2023
Components: CEC-EMA
Category: Program error
High7.1
3369353[CVE-2023-42476] Cross Site Scripting vulnerability in SAP BusinessObjects Web Intelligence
Priority: Correction with medium priority
Released on: 12.12.2023
Components: BI-RA-WBI-FE
Category: Program error
Medium6.8
3395306[CVE-2023-49587] Command Injection vulnerability in SAP Solution Manager
Priority: Correction with medium priority
Released on: 12.12.2023
Components: SV-SMG-IMP
Category: Program error
Medium6.4
3383321[CVE-2023-42479] Cross-Site Scripting (XSS) vulnerability in SAP Biller Direct
Priority: Correction with medium priority
Released on: 12.12.2023
Components: FIN-FSCM-BD
Category: Program error
Medium6.1
3217087[CVE-2023-49577] Cross-Site Scripting (XSS) vulnerability in the SAP HCM (SMART PAYE solution)
Priority: Correction with medium priority
Released on: 12.12.2023
Components: PY-IE
Category: Program error
Medium6.1
3159329Denial of service (DoS) vulnerability in JSZip library bundled within SAPUI5
Priority: Correction with medium priority
Released on: 12.12.2023
Components: CA-UI5-COR-FND
Category: Program error
Medium5.3
3406786[CVE-2023-49584] Client-Side Desynchronization vulnerability in SAP Fiori Launchpad
Priority: Correction with medium priority
Released on: 12.12.2023
Components: CA-FLP-ABA
Category: Program error
Medium4.3
3392547[CVE-2023-49581] SQL Injection vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 12.12.2023
Components: BC-CCM-MON-ORA
Category: Program error
Medium4.1
3363690[CVE-2023-49058] Directory Traversal vulnerability in SAP Master Data Governance
Priority: Correction with low priority
Released on: 12.12.2023
Components: CA-MDG-ML
Category: Program error
Low3.5
3362463[CVE-2023-49578] Denial of service (DOS) in SAP Cloud Connector
Priority: Correction with low priority
Released on: 12.12.2023
Components: BC-MID-SCC
Category: Program error
Low3.5
hacking
In SAP’s patch round of February 2022, an SAP Security Note was released with a CVSS score of 10/10 named, “Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher”. This particular type of vulnerability is not common in SAP systems and therefore interesting to look at. As patching the SAP kernel executables is often not done promptly, we can expect this vulnerability present in the customer’s systems for quite some time.
code pc
In one of our recent articles, we pointed out the use of Access Control Lists (ACLs) to better manage access control. Below, we will show a practical example of how this can be done for inbound HTTP communication with the ‘Internet Communication Manager’ (ICM) component of an SAP system.
SAP Security Patch Tuesday 2024
For February 2024, 13 new Security Notes have been released and 3 have been updated. Lets look at some highlights, starting with the ‘HowNews’ notes.