Navigating SAP Security Notes: December 2023 Patch Tuesday

SAP published fifteen new and two updated Security Notes for December 2023 Patch Tuesday. Compared to October’s and November’s SAP Security Patch Day releases, this month’s release contains more patches overall and with higher severity. Four Security Notes received the HotNews maximum priority rating (CVSS scores ranging from 9.0 to 10.0). Two of the HotNews notes are new, and two are updates to previously released notes. Additionally, four new Security Notes received the High Priority designation (CVSS scores ranging from 7.0 to 8.9). For this blog, we will focus on the five most critical Security Notes, four with a HotNews priority rating and one with a High Priority rating.

Newly Released HotNews Security Notes

Security Note 3411067 – [Multiple CVEs] received a CVSS score of 9.1 and addresses “Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries.” Specifically, SAP BTP Security Services Integration Libraries and Programming Infrastructures using the libraries listed within the Security Note’s official documentation allow an escalation of privileges under certain conditions. This vulnerability affects the libraries created for integrating SAP BTP security services, such as SAP Authorization and Trust Management Service (XSUAA), as well as various identity services. If an attacker successfully exploits this vulnerability, they can gain arbitrary permissions within the application, even without authentication. If left unpatched, it can have a high impact on the confidentiality and integrity of the application. SAP has released a blog post discussing the importance of updating the affected libraries and components. Currently, there is no temporary workaround to mitigate this vulnerability. SAP recommends that customers apply the recommended patches to protect their systems.

Security Note 3399691 – Update 1 to 3350297 – [CVE-2023-36922] received a CVSS score of 9.1 and is an update to Security Note 3350297, initially released in July 2023. This updated Security Note addresses an “OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL).” Specifically, due to a programming error in the function module and report, the IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension. If this vulnerability is successfully exploited, an attacker can gain unauthenticated access to the application server, read or modify the system data, and shut down the system entirely. If left unpatched, this vulnerability will greatly impact system confidentiality, integrity, and availability.

The fix provided previously in Security Note 3350297 was incomplete for the component IS-OIL-DS-HPM. Therefore, it is recommended that customers who have already implemented this patch should also apply Security Note 3399691. Please note that the vulnerability will be completely patched only when both patches are applied. Additionally, it is important to note that the corresponding patches can only be applied to a system if IS-OIL is activated.

As a solution, SAP removed the “Test Selected Routines” option from the report ROIB_QCI_CALL_TEST, and direct execution of the Function Module OIB_QCI_SERVER is no longer allowed. SAP advises customers to apply the correction instructions or upgrade the corresponding Support Packages referenced in this Security Note’s official documentation.

Updated HotNews Security Notes

Security Note 3350297 – [CVE-2023-36922] received a CVSS score of 9.1 and was updated by SAP with reference to the new HotNews Note 3399691. Please refer to the Security Note directly above for more information. Please note that the vulnerability is only completely patched when applying both Security Notes, first 3350297 and then 3399691.

Security Note 2622660 is a regularly recurring patch and provides “security updates for the browser control Google Chromium delivered with SAP Business Client.” This security note addresses numerous vulnerabilities in the 3^rd party web browser control Chromium. Specifically, if the SAP business client release is not updated to the latest patch level, displaying web pages in SAP Business Client may lead to vulnerabilities related to memory corruption and Information Disclosure, among others. Identified impacts of these vulnerabilities include:

• System information disclosure or even system crash in worst-case scenarios.
• Potential direct impacts on system confidentiality, availability, and integrity.
• Exfiltrated information can be leveraged to initiate other attacks, with potentially severe and compounding consequences.

This month’s update is the 43^rd update to this Security Note and includes revised ‘Solution’ and ‘Support Packages & Patches’ information. Specifically, SAP Business Client now supports Chromium version 119.0.6045.159, which fixes forty-four vulnerabilities, including three Critical and seventeen High Priority vulnerabilities. The maximum CVSS value of all fixed vulnerabilities for SAP Business Client is 8.8.

This Security Note was first released in April 2018 and has been continuously updated since then. Since this patch is recurring almost monthly as a HotNews Security Note, organizations may not feel the need to inspect and address this monthly note. However, if SAP Business Client is a relevant application within your SAP landscape, it is crucial to closely monitor and inspect this note each month for any important updates.

Newly Released High Priority Security Note

Security Note 3394567 – [CVE-2023-42481] received a CVSS score of 8.1 and is the only High Priority Security Note with a CVSS score exceeding 8.0 this month. This Security Note patches an “Improper Access Control vulnerability in SAP Commerce Cloud.” Specifically, in SAP Commerce Cloud, a locked B2B user can exploit the forgotten password functionality to unblock their user credentials. This is possible because the loginDisabled flag was incorrectly set to false during the password reset process. If SAP Commerce Cloud – Composable Storefront is used, not all necessary checks are subsequently executed. This issue does not affect setups that utilize classic accelerator storefronts and is specific to B2B scenarios. If this vulnerability is left unpatched and is successfully exploited, blocked users can regain unauthenticated access to the application, leading to a considerable impact on system confidentiality and integrity.

As a solution, SAP addresses this vulnerability by not changing the loginDisabled flag to false if the B2B user is marked as inactive during the password reset flow. Please see this Security Note’s official documentation for additional details, patches, and associated improvements. As a temporary workaround, SAP outlines these Manual Remediation Steps:

• Establish the following as a procedure during operations: Immediately after a B2B user is blocked by a B2B user with an admin role, the ID or the email of the blocked user is adjusted in the back office. By doing so, the blocked user can no longer receive emails to unblock their user if the ID or email is set accordingly.

The Importance of Proactive and Timely Patching

Staying updated on the monthly Security Notes released for SAP Patch Tuesday is crucial to maintaining the security posture of the confidentiality, integrity, and availability (CIA) triad for your business-critical SAP applications. These patches address critical vulnerabilities that malicious actors continually attempt to exploit to compromise your organization’s data and operations. Neglecting this crucial component of SAP security can lead to costly data breaches, system downtime, and potential reputational damage. By establishing an effective monthly patch management plan, businesses can proactively protect themselves against cyber threats.

How Pathlock Can Help

Pathlock’s Cybersecurity Application Controls (CAC) product enables customers to proactively streamline patch management and prioritization efforts through advanced automation to continuously detect critical vulnerabilities and system threat exposures. CAC’s advanced analytics and reporting capabilities deliver valuable insights into the most urgent patches, helping customer Basis teams allocate resources more efficiently, rapidly apply patches, and save time and money. Moreover, Pathlock CAC’s ABAP-native architecture ensures seamless integration with SAP standard solutions, enabling rapid customer adoption and minimal system downtime during patch deployment.

Pathlock empowers a comprehensive SAP cybersecurity strategy through five robust cybersecurity modules:

• Vulnerability and Code Scanning
• Threat Detection and Response
• Transport Control
• Dynamic Data Masking
• Session Logging and Data Loss Prevention (DLP)

Pathlock is committed to helping our customers stay updated on the latest SAP Security Notes, so be sure to check back next month for the latest SAP Patch Tuesday release.

To see how Pathlock can help your organization, reach out to set up a demo today.