German business software maker SAP on Tuesday announced the release of 13 new and five updated security notes as part of its September 2023 Security Patch Day.
Five of the SAP security notes released this month are rated ‘hot news’, the company’s highest rating. Three of them, however, are updates for previously released security notes.
The most severe of the new hot news notes addresses a critical vulnerability in BusinessObjects (CVE-2023-40622, CVSS score of 9.9), allowing attackers to access information that could be used in other attacks, potentially leading to complete application compromise.
The issue, enterprise application security firm Onapsis explains, impacts the job folder of the Promotion Management component.
As a workaround, organizations should provide only required users with the necessary rights to access and perform promotions, and should deny administrators the view rights on the Promotion jobs folder.
The second new hot news security note SAP released this month addresses a missing authorization check issue in CommonCryptoLib. Tracked as CVE-2023-40309 (CVSS score of 9.8), the bug impacts multiple SAP products, including NetWeaver, S/4HANA, Web Dispatcher, Content Server, Host Agent, and Extended Application Services and Runtime (XSA).
“Missing or wrong authorization checks in SAP CommonCryptoLib can result in an escalation of privileges. The resulting impact depends on the application and on the level of acquired privileges. In the worst case, attackers can compromise the affected application completely,” Onapsis explains.
This month, SAP has updated hot news security notes addressing vulnerabilities in the Chromium browser in Business Client (the update fixes 67 vulnerabilities), a code injection flaw in BusinessObjects, and an improper access control issue in NetWeaver (the note was previously deleted by accident).
On Tuesday, SAP also announced the release of two new high-priority security notes that address an insufficient file type validation flaw in BusinessObjects (CVE-2023-42472), and a memory corruption bug in CommonCryptoLib (CVE-2023-40308 – the patches for CVE-2023-40309 automatically patch this issue as well).
The remaining security notes address medium- and low-severity vulnerabilities in PowerDesignerClient, BusinessObjects Suite, S/4HANA, SAPUI5, Quotation Management Insurance, NetWeave, and S4CORE.
“With eighteen new and updated SAP Security Notes, including five HotNews Notes and two High Priority Notes, SAP’s September Patch Day seems to be a busy one. But since two HotNews Notes are only minor updates that do not require customer actions and not much effort is needed to implement SAP BusinessObjects and SAPCryptoLib notes, the patching effort is manageable,” Onapsis points out.