Overview
SAP’s security patch day for December 2023 has seen the release of 15 OSS SAP security notes. Three notes have been classified as critical, four as high, six as medium, and two as low based on CVSS v3.0 Rating.
Four notes have been released for:
- SAP NetWeaver AS ABAP
Two notes for:
- SAP BusinessObjects.
In addition, single notes have been released for:
- SAP BTP
- SAP Fiori Launchpad
- SAP Emarsys SDK for Android
- SAP Solution Manager
- SAP Commerce Cloud
- SAP S/4HANA
- SAP Biller Direct
- SAP Cloud Connector
- SAP HCM.
Vulnerabilities: December 2023 Highlights
[Multiple CVEs] Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries (SAP Note 3411067)
Libraries within the SAP BTP Security Services Integration Libraries and Programming Infrastructures, under certain conditions, will allow an escalation of privileges. This could lead to an unauthenticated attacker gaining arbitrary permissions within the application
Update 1 to 3350297 – [CVE-2023-36922] OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) (SAP Note 3399691)
This security note is an update to the security note 3350297. The fix provided in this note was incomplete. Due to a programming error in the function module and report, the IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension.
[CVE-2023-49580] Information disclosure vulnerability in SAP GUI for Windows and SAP GUI for Java (SAP Note 3411067)
Libraries within the SAP BTP Security Services Integration Libraries and Programming Infrastructures, under certain conditions, will allow an escalation of privileges. This could lead to an unauthenticated attacker gaining arbitrary permissions within the application.
[CVE-2023-42481] Improper Access Control vulnerability in SAP Commerce Cloud (SAP Note 3394567)
A locked user in SAP Commerce Cloud can misuse the forgotten password functionality to unblock their user account and regain access.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
