Community
Technology Blog Posts by Members
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP Security Patch Day – September 2023

vahagn1
Participant
‎2023 Sep 12 9:14 AM
10,300

SAP Security Patch Day – September 2023


On September 12, 2023, SAP has once again released a crucial set of security patches to address a myriad of vulnerabilities across its product line. This month's SAP Security Patch Day primarily focuses on rectifying Program errors. Below is a comprehensive rundown of the security notes, sorted by their Common Vulnerability Scoring System (CVSS) scores:

HotNews



  • BI-BIP-CMC [CVE-2023-25616]: Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) with a CVSS score of 9.9. First released on 14.03.2023, updated on 12.09.2023.

  • BI-BIP-LCM [CVE-2023-40622]: Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management) with a CVSS score of 9.9. Released on 12.09.2023.

  • BC-IAM-SSO-CCL [CVE-2023-40309]: Missing Authorization check in SAP CommonCryptoLib with a CVSS score of 9.8. Released on 12.09.2023.

  • BC-FES-BUS-DSK [CVE-2023-40624]: Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS score of 10.0. First released on 10.04.2018, updated on 12.09.2023.

  • BC-XI-CON-UDS [CVE-2022-41272]: Improper access control in SAP NetWeaver AS Java (User Defined Search) with a CVSS score of 9.9. First released on 13.12.2022, updated on 12.09.2023.


High Priority



  • BI-RA-WBI-FE [CVE-2023-42472]: Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) with a CVSS score of 8.7. Released on 12.09.2023.

  • BC-CCM-HAG [CVE-2023-40308]: Memory Corruption vulnerability in SAP CommonCryptoLib with a CVSS score of 7.5. Released on 12.09.2023.


Medium Priority



  • BC-SYB-PD [CVE-2023-40621]: Code Injection vulnerability in SAP PowerDesigner Client with a CVSS score of 6.3. Released on 12.09.2023.

  • MM-FIO-PUR-SQ-CON [CVE-2023-40625]: Missing Authorization check in Manage Purchase Contracts App with a CVSS score of 5.4. Released on 12.09.2023.

  • BC-GP [CVE-2023-41367]: Missing Authentication check in SAP NetWeaver (Guided Procedures) with a CVSS score of 5.3. Released on 12.09.2023.

  • BI-BIP-LCM [CVE-2023-37489]: Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System) with a CVSS score of 5.3. Released on 12.09.2023.

  • FS-QUO [CVE-2023-40308]: Denial of service (DOS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP Quotation Management Insurance (FS-QUO) with a CVSS score of 5.7. Released on 12.09.2023.

  • BC-WD-UR [CVE-2023-40624]: Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering) with a CVSS score of 5.5. Released on 12.09.2023.

  • BI-BIP-INS [CVE-2023-40623]: Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer) with a CVSS score of 6.2. Released on 12.09.2023.


Low Priority



  • FI-FIO-AP-CHK [CVE-2023-41368]: Insecure Direct Object Reference (IDOR) vulnerability in SAP S/4HANA (Manage checkbook apps) with a CVSS score of 2.7. Released on 12.09.2023.

  • FI-FIO-AP [CVE-2023-41369]: External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application) with a CVSS score of 3.5. Released on 12.09.2023.


Statistics:


Total new SAP notes: 16


Total vulnerabilities addressed: 16


Highest CVSS Score: 10.0 (HotNews) – Security updates for the browser control Google Chromium delivered with SAP Business Client – [CVE-2023-40624]


Description: This HotNews-rated note addresses security updates for the browser control Google Chromium delivered with SAP Business Client, with a critical CVSS score of 10.0.

Top 2 Critical Bugs:



  1. BI-BIP-CMC [CVE-2023-25616]

    • CVSS Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

    • Description: This high-priority note resolves a Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) with a CVSS score of 9.9. As this vulnerability allows attackers to compromise system integrity and confidentiality, prompt action is advised to mitigate potential risks.



  2. BC-XI-CON-UDS [CVE-2022-41272]

    • CVSS Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L)

    • Description: This high-priority note addresses an Improper access control in SAP NetWeaver AS Java (User Defined Search) with a CVSS score of 9.9. As this vulnerability allows unauthorized access, immediate patching is essential to protect the application and its users.







4 Comments