SAP fixes critical vulnerabilities
Take action: Time to plan a SAP patching process for this month. Understandably there will be pushback, but this is one more month with critical vulnerabilities patched in SAP products. So it's time to establish regular patching.
Learn More
SAP has released updates for this month's patch day. These updates are crucial for enhancing the security of SAP systems.
Among the critical severity vulnerabilities, the most significant one is associated with the Chromium browser control integrated into the SAP Business client. This vulnerability has been assigned the highest priority due to its potential impact. The details of this vulnerability and its remediation steps are provided by SAP.
CVE-2023-36922 (CVSS score 9.1) - SAP ECC and SAP S/4HANA (IS-OIL) (IS-OIL-DS-HPM), an exists an OS command injection vulnerability. This vulnerability arises from an unprotected parameter in a common extension.
CVE-2023-33989 (CVSS score 8.7) - high severity vulnerability affects SAP NetWeaver (BI CONT ADD ON) (BW-BCT-GEN). This vulnerability is categorized as a Directory Traversal Vulnerability, which means it allows unauthorized access to OS files and potential system compromise.
CVE-2023-33987 (CVSS score 8.6) - SAP Web Dispatcher (BC-CST-WDP) is also affected by a high severity vulnerability. This particular vulnerability involves Request Smuggling and request concatenation, enabling a threat actor to read, modify, or temporarily disrupt the server.
CVE-2023-33990 (CVSS score 7.8) - SAP SQL Anywhere (BC-SYB-SQA-SRV) experiences a high severity Denial of Service (DoS) vulnerability related to Shared memory objects. This vulnerability allows a low-privileged attacker with local system access to crash the service, rendering the system unavailable for legitimate users.
CVE-2023-35871 (CVSS score 7.7) - Vulnerability affecting SAP Web Dispatcher (BC-CST-WDP) is a Memory Corruption vulnerability. Exploiting logical errors in memory management, a threat actor can cause memory corruption, leading to potential information disclosure or system crashes.
CVE-2023-36925 and CVE-2023-36921, both with a CVSS score 7.2 - SAP Solution Manager (Diagnostics agent) (SV-SMG-DIA-SRV-AGT) is affected by two medium severity vulnerabilities: unauthenticated Server-Side Request Forgery (SSRF) and a header injection vulnerability. The SSRF vulnerability allows an unauthenticated threat actor to make malicious HTTP requests, impacting availability and confidentiality. The header injection vulnerability enables an attacker to manipulate headers in client requests, potentially serving poisoned content to the server.
