SAP Security Patch Day June 2023: Cross-Site Scripting Takes Center Stage
Key Takeaways
⇨ Thirteen new and updated SAP security patches were released, with a particular emphasis on addressing Cross-Site Scripting (XSS) vulnerabilities
⇨ Two High Priority Notes, #3326210 and #3324285, impact the SAPUI5 component, addressing XSS vulnerabilities in UI5 Variant Management and UI5 Management, respectively
⇨ The Onapsis Research Labs contributed to fixing a vulnerability in the Transport Management System that could result in a Denial of Service
June’s SAP Security Notes highlights the release of thirteen new and updated patches, including four High Priority Notes. Among these, Cross-Site Scripting (XSS) vulnerabilities took the spotlight, with eight notes addressing this issue in various components.
Notably, two High Priority Notes (#3326210 and #3324285) focus on the SAPUI5 component, while the Onapsis Research Labs aided in mitigating a vulnerability impacting the Transport Management System.
High-Priority SAP Security Notes: A Closer Look
New High-Priority SAP Security Notes
SAP Security Note #3324285 addresses a Stored Cross-Site Scripting (Stored XSS) vulnerability in UI5 Variant Management, with a CVSS score of 8.2. This vulnerability could compromise the confidentiality, integrity, and availability of the UI5 Variant Management application, potentially granting unauthorized user-level access.
The second new High Priority Note, #3301942, with a CVSS score of 7.9, deals with the connection between SAP Plant Connectivity and Production Connector for SAP Digital Manufacturing. Without a valid JSON Web Token (JWT), the integrity and integration of these components with SAP Digital Manufacturing may be compromised. It is crucial to patch both components and configure JWT signature validation in the Cloud Connector settings to address this vulnerability fully.
Updates to Previously Released High Priority SAP Security Notes
SAP Security Note #3326210, initially released in May’s Patch Day, undergoes an update in June. This note, with a CVSS score of 7.1, addresses an Improper Neutralization vulnerability in the sap.m.FormattedText SAPUI5 control, which could be exploited for phishing attacks. The update introduces minor textual and structural changes, along with support for SAP NetWeaver 7.58.
The remaining updated High Priority Note, SAP Security Note #3102769, features a CVSS score of 8.8 and addresses a critical Cross-Site Scripting vulnerability in SAP Knowledge Warehouse. This note provides a workaround that involves deactivating the vulnerable displaying component. New patch-level patches are also released for SAP NetWeaver 7.31 and 7.40.
Cross-Site Scripting SAP Security Notes
Although only two High Priority SAP Security Notes tackle Cross-Site Scripting vulnerabilities, it’s worth noting that six Medium Priority SAP Security Notes were also released in the June Patch Day.
SAP Security Notes #3319400 and #3315971, initially released in May, received updates. The first note states that SAP Business Object 4.2 is unaffected by the vulnerability and removes it from the list of affected versions. However, for Note #3315971 addressing an issue in SAP CRM, users are advised to consider the completeness of the fix and implement SAP Security Note #3322800, also released in this Patch Day.
SAP Security Notes #2826092, #3331627, and #3318657 address Cross-Site Scripting vulnerabilities in SAP CRM Grantor Management, SAP Enterprise Portal, and Design Time Repository