May 2023 saw the release of 25 new and updated SAP patches, including three HotNews Notes and nine High Priority Notes. Notably, Onapsis Research Labs contributed to SAP Patch Tuesday for the fourth consecutive month, underscoring the importance of timely and comprehensive SAP patches.
SAP’s May Patch Day has unveiled a fresh batch of twenty-five Security Notes that have been updated or newly published since the previous Patch Tuesday. This includes a trio of HotNews Notes and nine High Priority Notes that are deemed critical for system administrators to implement.
One of the noteworthy HotNews Notes is the recurring SAP Security Note #2622660, offering an update for SAP Business Client that comprises the latest supported Chromium patches. The latest SAP Business Client version now endorses Chromium version 112.0.5615.121, which can fix up to twenty-six vulnerabilities, including thirteen High Priority vulnerabilities. The fixed vulnerabilities’ maximum CVSS value is 9.8. Notably, Google promptly released version 112.0.5615.121 as an emergency security update after identifying a crucial vulnerability labeled as CVE-2023-2033. Google verified that “an exploit for CVE-2023-2033 exists in the wild.” NIST’s vulnerability description indicates that it could allow “a remote attacker to potentially exploit heap corruption via a crafted HTML page.”
Of the High Priority SAP Notes, #3217303 and #3213507, are both part of a set of five SAP Security Notes initially released in 2022 to address Information Disclosure vulnerabilities in SAP BusinessObjects. The latest update clarifies that HotNews Note #3307833 supplants these five notes, which users can refer to for more details.
SAP Patches Multiple Vulnerabilities with May Security Notes
SAP has released Security Note #3328495 to address five vulnerabilities found in version 14.2 of the Reprise License Manager (RLM) component, utilized in SAP 3D Visual Enterprise License Manager. The note, which carries a CVSS score of 9.8, recommends updating to version 15.0.1-sap2. However, disabling the affected RLM web interface is a viable option to mitigate the vulnerabilities. The patch was already released in January 2023, and keeping all components up-to-date is always a wise choice. An upgrade process is available to apply the newest version with the disabled web interface and replace the required manual steps.
Meanwhile, Security Note #3307833 addresses multiple Information Disclosure vulnerabilities present in SAP BusinessObjects Business Intelligence Platform, including a critical vulnerability allowing an authenticated attacker with administrator privileges to access and modify data and make the system unavailable. Tagged with a CVSS score of 9.1, Note #3307833 supersedes six previous notes, including #3217303, #3145769, #3213524, #3213507, and #3233226, initially released in 2022 and updated during SAP’s May Patch Day. SAP recommends that customers who have already implemented these notes should also install #3307833 for a complete fix. Meanwhile, those who have yet to implement all these notes should directly apply #3307833.
SAP Security Note #3320467 stands out as potentially the most important note, since it impacts most SAP customers by fixing a vulnerability in SAPGUI. This vulnerability allows unauthorized access to a user’s NTLM authentication information by luring the user to click on a prepared shortcut file, potentially exposing sensitive information depending on the user’s authorizations.
SAP Commerce is also impacted by two High Priority Notes, which are both given a CVSS score of 7.5. SAP Security Note #3321309 addresses an Information Disclosure issue in SAP Commerce Backoffice, which can be exploited by an attacker to access restricted information through a crafted POST request, potentially compromising the confidentiality of the system. Meanwhile, SAP Security Note #3320145 includes a patch that updates the vulnerable version of the XStream library in SAP Commerce, which could allow a remote attacker to launch a denial-of-service attack by exploiting the CVE-2022-41966 vulnerability, causing the application to terminate with a stack overflow error.
SAP Collaborates with Onapsis to Address Security Issues
Moreover, SAP has released two Security Notes, #3317453 and #3323415, to patch vulnerabilities in SAP NetWeaver AS JAVA and SAP IBP add-in for Microsoft Excel, respectively. Security Note #3317453 fixes an Improper Access Control vulnerability that allows an unauthenticated attacker to manipulate a system’s services without proper authorization, causing high impact on the system’s integrity and low impact on its confidentiality.
On the other hand, Security Note #3323415 addresses a Privilege Escalation vulnerability that an authenticated attacker could exploit to run code as an administrator, potentially impacting the confidentiality, integrity, and availability of the system. The note warns that previously installed versions of the Excel add-in may have been exploited and recommends updating to the patched version to mitigate the risk.
Both vulnerabilities were patched in collaboration with the Onapsis Research Labs and are part of a series of other vulnerabilities named P4CHAINS that SAP has recently addressed. Customers are advised to keep their systems up-to-date to prevent such vulnerabilities from being exploited.
Another SAP Security Note, #3300624, tackles a vulnerability in SAP PowerDesigner that can cause a high impact on the availability of the application. This vulnerability is related to memory management and can allow an attacker to crash the proxy server by sending a crafted request from a remote host, leading to memory corruption.
Lastly, SAP Security Note #3326210 addresses an Improper Neutralization vulnerability in the sap.m.FormattedText SAPUI5 control, which could be exploited by an attacker through a phishing attack to read or modify a user’s information. This note carries a CVSS score of 7.1.