- 158/2023
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple products. In addition, SAP also announced (2) updates to the previously released patch day security notes.
This month’s patch fixes several vulnerabilities affecting multiple SAP products such as SAP Business Client, SAP ECC and SAP S/4HANA (IS-OIL), SAP NetWeaver, SAP Web Dispatcher, SAP UI5 Variant Management, SAP SQL Anywhere, SAP Solution Manager, SAP S/4HANA (Manage Journal Entry Template), SAP BusinessObjects BI Platform (Enterprise), SAP ERP Defense Forces and Public Security, SAP Business Warehouse and SAP BW/4HANA.
The attacker could exploit some of these vulnerabilities to gain access, execute arbitrary code, cause denial of service attacks, obtain information, and perform cross-site scripting.
Sample of the addressed vulnerabilities:
1. OS Command Injection Vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) (CVE-2023-36922):
- CVSS: 9.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Access
2. Denial of Service Vulnerability in SAP SQL Anywhere (CVE-2023-33990):
- CVSS: 7.8
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Denial of Service
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.