What was the key focus of SAP's December Patch Day?

SAP released seventeen new and updated Security Notes on its December Patch Day, including four HotNews Notes and four High Priority Notes.

What are the key issues addressed in SAP's December Patch Day?

The key issues include a vulnerability in the SAP BTP Security Services Integration Libraries posing a severe risk of Escalation of Privileges and an important update for IS-OIL, due to the previous HotNews patch being incomplete.

What are the details of the critical OS Command Injection vulnerability in IS-OIL?

The critical OS Command Injection vulnerability in IS-OIL is addressed by SAP Security Note #3350297 (CVSS score 9.1) and updated with HotNews Note #3399691. Both patches are required for full mitigation and should only be applied if IS-OIL is activated.

What updates are included in SAP Security Note #2622660 for SAP Business Client?

SAP Security Note #2622660 for SAP Business Client includes updates incorporating the latest Chromium patches, supporting Chromium version 119.0.6045.159, and addressing forty-four vulnerabilities with a maximum CVSS score of 8.8.

What does SAP Security Note #3411067 address?

SAP Security Note #3411067 (CVSS score 9.1) addresses a critical Escalation of Privileges in SAP BTP, impacting the SAP BTP Security Services Integration Libraries and enabling unauthenticated attackers to gain arbitrary permissions.

What vulnerability is fixed in SAP Security Note #3394567?

SAP Security Note #3394567 (CVSS score 8.1) fixes an Improper Access Control in SAP Commerce Cloud, where locked users could bypass restrictions using the Forgotten Password functionality.

What does SAP Security Note #3382353 deal with?

SAP Security Note #3382353 (CVSS score 7.5) deals with a Cross-Site Scripting vulnerability in SAP BusinessObjects Business Intelligence Platform, allowing privileged attackers to upload harmful documents.

What is described in SAP Security Note #3385711?

SAP Security Note #3385711 (CVSS score 7.3) describes an Information Disclosure vulnerability in SAP GUI for Windows and Java, potentially leading to unauthorized access to restricted information and system performance issues.

What issue does SAP Security Note #3406244 address?

SAP Security Note #3406244 (CVSS score 7.1) addresses a Missing Authorization Check in SAP EMARSYS SDK ANDROID, enabling attackers to redirect to arbitrary URLs on a compromised Android device.

Advisory

SAP releases multiple patches including critical ones for SAP BTP and IS-OIL

published: Dec. 12, 2023

Take action: If you are using SAP products, prioritize SAP BTP and IS-OIL patch planning. The rules of isolation from internet apply as always. Everyone understands that patching an enterprise level app is difficult, but these are the days of exploiting everything and anything. Make patching a practice, it becomes easier.

Learn More

SAP released seventeen new and updated Security Notes on its December Patch Day. This release includes four HotNews Notes and four High Priority Notes.

Key issues are a vulnerability in the SAP BTP Security Services Integration Libraries poses a severe risk of Escalation of Privileges and an Important Update for IS-OIL since previous HotNews patch for IS-OIL found to be incomplete, necessitating an update.

Key HotNews Notes:

Updates on a critical OS Command Injection vulnerability in IS-OIL. SAP Security Note #3350297 (CVSS score 9.1), released in July 2023, has been updated with a new HotNews Note #3399691. Both patches (#3350297 and #3399691) are required for full mitigation. These patches should only be applied if IS-OIL is activated to avoid system inconsistencies.
Regular SAP Security Note #2622660 update for SAP Business Client, incorporating the latest Chromium patches. This update supports Chromium version 119.0.6045.159, addressing forty-four vulnerabilities, including three Critical and seventeen High Priority ones, with a maximum CVSS score of 8.8.
SAP Security Note #3411067 (CVSS score 9.1) addresses a critical Escalation of Privileges in SAP BTP. The vulnerability impacts the SAP BTP Security Services Integration Libraries, enabling unauthenticated attackers to gain arbitrary permissions, severely affecting application confidentiality and integrity. The note provides information on affected libraries and versions, along with update guidelines.
SAP Security Note #3394567 (CVSS score 8.1) fixes an Improper Access Control in SAP Commerce Cloud, where locked users could bypass restrictions using the Forgotten Password functionality.
SAP Security Note #3382353 (CVSS score 7.5) deals with a Cross-Site Scripting vulnerability in SAP BusinessObjects Business Intelligence Platform, allowing privileged attackers to upload harmful documents.
SAP Security Note #3385711 (CVSS score 7.3) describes an Information Disclosure vulnerability in SAP GUI for Windows and Java, potentially leading to unauthorized access to restricted information and system performance issues.
SAP Security Note #3406244 (CVSS score 7.1) addresses a Missing Authorization Check in SAP EMARSYS SDK ANDROID, enabling attackers to redirect to arbitrary URLs on a compromised Android device.

SAP releases multiple patches including critical ones for SAP BTP and IS-OIL

Read More
Oracle releases January 2025 Patch update addressing 318 …
Microsoft reports on-premise SharePoint vulnerability under active attack
ShowDoc Document Management Platform Targeted by Active RCE …
Security Vulnerabilities in Xerox FreeFlow Core enable Server-Side …
CISA warns of GeoServer critical flaw under active …