SAP Security Notes, June 2023

Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.

June 2023 notes

Summary and highlights of the month

The total number of notes/patches was 13, 12 less than last month. The number of Hot News decreased from 3 to 0 this month. On the other hand, it is worth noting that the number of high criticality notes decreases from 9 to 4. As usual we will leave the medium and low notes unchecked this month, but we will give details of a total of 4 notes (all those with a CVSS of 7 or higher).

We have a total of 13 scores for the whole month (the 13 from patch Tuesday, 8 new and 5 updates, that’s 11 scores less than last patch Tuesday).

We will review in detail 4 of the total 4 high scores, 2 of the 4 are new (those of CVSS greater than or equal to 7).

1. The most critical note of the month (with CVSS 8.8) is an update of a note published in December 2021 related to “Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse“.
2. The next criticality release (with CVSS 8.2) is related to “Stored Cross-Site Scripting (Stored XSS) vulnerability in UI5 Variant Management“.
3. The next criticality score (with CVSS 7.9), “Missing Authentication in SAP Plant Connectivity and Production Connector for SAP Digital Manufacturing“.
4. The next note in criticality (with CVSS 7.1), this is an update of a note published last May, related to “Improper Neutralization of Input in SAPUI5“
5. This month the most predominant type is “Cross-Site Scripting (XSS)” (7/13 on patch day).

In the graph (post May 2023 by SAP) we can see the ranking of the June notes in addition to the evolution and ranking of the last 5 previous months (only the notes of Sec. Tuesday / Patch Day – by SAP):

Full details

The complete detail of the most relevant notes is as follows:

1. Update – Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse (3102769): A security vulnerability has been discovered in the SAP Knowledge Warehouse (SAP KW). The usage of one SAP KW component within a Web browser enables unauthorized attackers to conduct XSS attacks, which might lead to disclose sensitive data. This note has been republished with updated “Compatibility Packs and Patches” information for versions 7.31 and 7.40. CVSS v3 Base Score: 8,8 / 10 [CVE-2021-42063].
2. Stored Cross-Site Scripting (Stored XSS) vulnerability in UI5 Variant Management (3324285): UI5 Variant Management does not sufficiently encode user-controlled inputs on reading data from the server, resulting in Stored Cross-Site Scripting (Stored XSS) vulnerability. After successful exploitation, an attacker with user level access can cause high impact on confidentiality, modify some information and also can cause unavailability of the application at user level. This note requires manual activities for implementation. CVSS v3 Base Score: 8,2 / 10 [CVE-2023-33991].
3. Missing Authentication in SAP Plant Connectivity and Production Connector for SAP Digital Manufacturing (3301942): SAP Plant Connectivity 15.5 (PCo) or the Production Connector for SAP Digital Manufacturing do not validate the signature of the JSON Web Token (JWT) in the HTTP request sent from SAP Digital Manufacturing. As a consequence, unauthorized callers from the internal network could send service requests to PCo or the Production Connector, which could have an impact on the integrity of the integration with SAP Digital Manufacturing. CVSS v3 Base Score: 7,9 / 10 [CVE-2023-2827].
4. Update – Improper Neutralization of Input in SAPUI5 (3326210): Due to improper neutralization of input in SAPUI5, sap.m.FormattedText SAPUI5 control allows injection of untrusted CSS. This blocks user’s interaction with the application. Further, in the absence of URL validation by the application, the vulnerability could lead to the attacker reading or modifying user’s information through phishing attack. This note has been re-released with updated ‘Solution’ and ‘Workaround’ information. Base Score: 7,1 / 10  [CVE-2023-30743].

Reference links

Other references, from SAP and Onapsis (June):

Digital Library (sap.com)

SAP Security Patch Day June 2023 (onapsis.com)

Resources affected