Today is July 11th, the 192nd day of 2023, and it’s SAP Security Patch Day! While all security-conscious SAP customers should already be aware of this, the leading vendor for enterprise applications releases security updates for its extensive product portfolio every second Tuesday of the month. SAP’s Response Team has released 17 security updates (containing 2 updates from previous releases), including two with Hot News Priority and several High Priority patches.
Let’s delve into the key highlights of the July SAP Security Patch Day as there is substantial work to be done. Ensuring the resilience of your SAP system against cyber threats necessitates diligent Patch Management, which should never be overlooked.
SAP customers need to invest a significant amount of time in identifying the relevant patches that apply to the product components used by their organizations. This effort is multiplied every month on SAP Security Patch Day. If this backlog is not addressed, it will continue to grow, increasing the risk of exploitation at the same time.
Today, we will not begin with the SNotes of the highest priority because our team of experts has identified three major areas that require emphasis on this SAP Security Patch Day.
Firstly, we recommend focusing on the SAP WebDispatcher, as it is a critical component in many architectures with a public-facing connection. It is essential to validate SNote 3233899, which addresses the issues of request smuggling and request concatenation vulnerabilities in SAP Web Dispatcher. Additionally, SNote 3340735 has been released to address a memory corruption vulnerability in SAP Web Dispatcher.
The second area of attention focuses on the ABAP-Stack of specific Industry solutions, which may not be a priority for the majority of SAP customers, especially if they are not using those particular SAP Industry solutions.
SNote 3350297 (Hot News) addresses an OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL). This vulnerability allows an authenticated attacker to inject arbitrary operating system commands through the IS-OIL component of SAP ECC and SAP S/4HANA.
Another vulnerability, a Log Injection vulnerability in SAP ERP Defense Forces and Public Security, has been fixed in SNote 3351410. Although the patch carries a CVSS score of “only” 4.9, given the current geopolitical tensions, it would be wise to prioritize it. Many attacks rely on exploiting multiple unpatched vulnerabilities in a chain, allowing the attacker to achieve their goals.
Lastly, but equally important, we would like to draw your attention to the SAP Solution Manager vulnerabilities that have been addressed in the current SAP Security Patch Day of July 2023. The SAP Solution Manager is one of the most critical components in every SAP customer’s architecture, and it serves as an entry point for threat actors. Despite being an often overlooked component in the SAP product family, the risk exposure should not be underestimated.
In this regard, it is essential to review SNote 3352058 (CVSS 7.2), which addresses an Unauthenticated Blind SSRF vulnerability in Solution Manager (Diagnostic Agent). Additionally, SNote 3348145 (CVSS 7.2) fixes a Header Injection vulnerability in SAP Solution Manager (Diagnostic Agent).
The July release contains a total of 17 patches for the following severities:
| Severity | Number | Hot News | 2 |
|---|---|
High | 6 |
Medium | 9 |
