German enterprise software maker SAP on Tuesday announced the release of 15 new and two updated security notes as part of its December 2023 Security Patch Day.
Four of the December 2023 security notes have a severity rating of ‘hot news’, the highest in the company’s notebook, but three of them are updates to previously released notes.
The new hot news security note deals with multiple vulnerabilities in SAP Business Technology Platform (BTP), the most severe of which is a critical-severity elevation of privilege flaw.
Tracked as CVE-2023-49583 (CVSS score of 9.1), the issue was identified in the BTP Security Services Integration Libraries, which simplify the integration of BTP security services and other identity services.
“It allows an unauthenticated attacker to obtain arbitrary permissions within the application leading to high impact on the application’s confidentiality and integrity,” enterprise security company Onapsis explains.
To draw attention to the vulnerability, SAP has published a separate blog post, urging all customers to review the security note, ensure that their systems meet required prerequisites for the update, and apply the provided solution to address the bug.
“Security is a shared responsibility, and proactive measures are crucial to maintaining the integrity of our SAP BTP environments,” SAP notes.
The first of the three updated hot news notes brings patches for the Chromium-based browser in SAP Business Client. The update plugs 44 security holes, including three critical bugs and 17 high-severity issues.
The remaining two hot news notes are updates for a security note released in July 2023 to address an OS command injection flaw in SAP ECC and SAP S/4HANA (IS-OIL).
“Both security notes point out that the corresponding patches may only be applied to a system if IS-OIL is activated. Ignoring this prerequisite can lead to serious system inconsistencies,” Onapsis says.
SAP released four high-priority security notes as part of its December 2023 patches, the first of which addresses an improper access control bug in Commerce Cloud, which could allow blocked users to use the forgotten password feature to regain access to the application.
A high-severity cross-site scripting (XSS) flaw in BusinessObjects that could allow an attacker to upload malicious documents to the system and an information disclosure issue in SAP GUI for Windows and SAP GUI for Java, leading to the exposure of confidential information, were also resolved.
Additionally, SAP patched a high-severity missing authorization check bug in EMARSYS SDK Android, which could allow an attacker with control over a victim’s Android device to forward themselves URLs without validation from the host application.
“On successful exploitation, an attacker could navigate to arbitrary URLs, including application deep links, on the device,” Onapsis explains.
SAP also released seven medium-priority and two low-priority security notes.
The software maker makes no mention of any of these vulnerabilities being exploited in malicious attacks, but threat actors are known to target SAP application vulnerabilities.