SAP Security Patch Day December 2023
2023-12-14 06:3:18 Author: blogs.sap.com(查看原文) 阅读量:12 收藏

On December 12, 2023, SAP once again demonstrated its commitment to cybersecurity by releasing a crucial set of security patches. These patches are designed to fix various vulnerabilities identified across various SAP products. The focus of this month’s SAP Security Patch Day is primarily on fixing program errors that have the potential to pose security risks. We have provided a detailed overview of the security notes released below, organized according to their severity as determined by the Common Vulnerability Scoring System (CVSS) scores:

Vulnerability ID CVE Number Description CVSS Score Release Date Update Date
BI-BIP-CMC CVE-2023-25616 Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) 9.9 14.03.2023 12.09.2023
BI-BIP-LCM CVE-2023-40622 Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management) 9.9 12.09.2023
BC-IAM-SSO-CCL CVE-2023-40309 Missing Authorization check in SAP CommonCryptoLib 9.8 12.09.2023
BC-FES-BUS-DSK CVE-2023-40624 Security updates for the browser control Google Chromium delivered with SAP Business Client 10.0 10.04.2018 12.09.2023
BC-XI-CON-UDS CVE-2022-41272 Improper access control in SAP NetWeaver AS Java (User Defined Search) 9.9 13.12.2022 12.09.2023
BI-RA-WBI-FE CVE-2023-42472 Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) 8.7 12.09.2023
BC-CCM-HAG CVE-2023-40308 Memory Corruption vulnerability in SAP CommonCryptoLib 7.5 12.09.2023
BC-SYB-PD CVE-2023-40621 Code Injection vulnerability in SAP PowerDesigner Client 6.3 12.09.2023
MM-FIO-PUR-SQ-CON CVE-2023-40625 Missing Authorization check in Manage Purchase Contracts App 5.4 12.09.2023
BC-GP CVE-2023-41367 Missing Authentication check in SAP NetWeaver (Guided Procedures) 5.3 12.09.2023
BI-BIP-LCM CVE-2023-37489 Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System) 5.3 12.09.2023
FS-QUO CVE-2023-40308 Denial of service (DOS) vulnerability in SAP Quotation Management Insurance (FS-QUO) 5.7 12.09.2023
BC-WD-UR CVE-2023-40624 Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering) 5.5 12.09.2023
BI-BIP-INS CVE-2023-40623 Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer) 6.2 12.09.2023
FI-FIO-AP-CHK CVE-2023-41368 Insecure Direct Object Reference (IDOR) vulnerability in SAP S/4HANA (Manage checkbook apps) 2.7 12.09.2023
FI-FIO-AP CVE-2023-41369 External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application) 3.5 12.09.2023

Statistics:

  • Total new SAP notes released: 16
  • Total vulnerabilities addressed: 16
  • Highest CVSS Score: 10.0 (HotNews)
  • Security updates for the browser control Google Chromium delivered with SAP Business Client – [CVE-2023-40624]

Top 3 Critical Issues:

1. BC-FES-BUS-DSK [CVE-2023-40624]: Security updates for the browser control Google Chromium delivered with SAP Business Client (CVSS Score: 10.0)

This vulnerability could compromise the integrity and confidentiality of the SAP Business Client through the browser control.

2. BC-CP-CF-SEC-LIB [Multiple CVEs]: Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries (CVSS Score: 9.1)

This issue allows unauthorized escalation of privileges, potentially compromising system security.

3. IS-OIL-DS-HPM [CVE-2023-36922]: OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) (CVSS Score: 9.1)

This vulnerability allows attackers to execute arbitrary OS commands, posing a significant threat to the integrity and availability of the system.


文章来源: https://blogs.sap.com/2023/12/13/sap-security-patch-day-december-2023/
如有侵权请联系:admin#unsafe.sh