Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerability in Business Technology Platform

SAP patches multiple vulnerabilities in the Business Technology Platform, including a critical elevation of privilege bug.

German enterprise software maker SAP on Tuesday announced the release of 15 new and two updated security notes as part of its December 2023 Security Patch Day.

Four of the December 2023 security notes have a severity rating of ‘hot news’, the highest in the company’s notebook, but three of them are updates to previously released notes.

The new hot news security note deals with multiple vulnerabilities in SAP Business Technology Platform (BTP), the most severe of which is a critical-severity elevation of privilege flaw.

Tracked as CVE-2023-49583 (CVSS score of 9.1), the issue was identified in the BTP Security Services Integration Libraries, which simplify the integration of BTP security services and other identity services.

“It allows an unauthenticated attacker to obtain arbitrary permissions within the application leading to high impact on the application’s confidentiality and integrity,” enterprise security company Onapsis explains.

To draw attention to the vulnerability, SAP has published a separate blog post, urging all customers to review the security note, ensure that their systems meet required prerequisites for the update, and apply the provided solution to address the bug.

“Security is a shared responsibility, and proactive measures are crucial to maintaining the integrity of our SAP BTP environments,” SAP notes.

The first of the three updated hot news notes brings patches for the Chromium-based browser in SAP Business Client. The update plugs 44 security holes, including three critical bugs and 17 high-severity issues.

Advertisement. Scroll to continue reading.

The remaining two hot news notes are updates for a security note released in July 2023 to address an OS command injection flaw in SAP ECC and SAP S/4HANA (IS-OIL).

“Both security notes point out that the corresponding patches may only be applied to a system if IS-OIL is activated. Ignoring this prerequisite can lead to serious system inconsistencies,” Onapsis says.

SAP released four high-priority security notes as part of its December 2023 patches, the first of which addresses an improper access control bug in Commerce Cloud, which could allow blocked users to use the forgotten password feature to regain access to the application.

A high-severity cross-site scripting (XSS) flaw in BusinessObjects that could allow an attacker to upload malicious documents to the system and an information disclosure issue in SAP GUI for Windows and SAP GUI for Java, leading to the exposure of confidential information, were also resolved.

Additionally, SAP patched a high-severity missing authorization check bug in EMARSYS SDK Android, which could allow an attacker with control over a victim’s Android device to forward themselves URLs without validation from the host application.

“On successful exploitation, an attacker could navigate to arbitrary URLs, including application deep links, on the device,” Onapsis explains.

SAP also released seven medium-priority and two low-priority security notes.

The software maker makes no mention of any of these vulnerabilities being exploited in malicious attacks, but threat actors are known to target SAP application vulnerabilities.

Related: SAP Patches Critical Vulnerability in Business One Product

Related: SAP Releases 7 New Notes on October 2023 Patch Day

Reated: SAP Patches Critical Vulnerability in PowerDesigner Product

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.