In May 2023, SAP released critical security updates addressing vulnerabilities across several platforms, most notably SAP BusinessObjects (BOBJ) and the SAP 3D Visual Enterprise License Manager. These updates include patches for information disclosure, code injection, broken authentication, and session hijacking risks that require immediate attention from security administrators.
Executive Summary
The May 2023 SAP security patch cycle focused on critical vulnerabilities affecting data integrity and authentication. The most significant update, Note 3307833, addresses a critical information disclosure vulnerability in the SAP BusinessObjects Business Intelligence (BOBJ) platform, versions 4.2 and 4.3. This flaw allows authenticated attackers with administrator privileges to steal login tokens and impersonate other users.
Additionally, Note 3328495 targets multiple severe vulnerabilities—including code injection, broken authentication, and session hijacking—within the SAP 3D Visual Enterprise License Manager. Administrators are advised to update to version 15.0.1-sap2 or implement the provided workaround, which involves disabling the vulnerable web interface. Other notable updates include patches for untrusted CSS input validation in SAPUI5, additional BOBJ information disclosure risks, and authentication gaps in SAP Digital Manufacturing. Organizations should review these advisories to ensure their SAP environments are protected against potential exploitation.
Key Takeaways
- BOBJ Critical Risk: Note 3307833 patches a critical information disclosure vulnerability in SAP BusinessObjects versions 4.2 and 4.3.
- License Manager Vulnerabilities: Note 3328495 addresses code injection and session hijacking in SAP 3D Visual Enterprise License Manager.
- Urgent Updates: Organizations should update to version 15.0.1-sap2 for the License Manager or disable the affected web interface.
- Digital Manufacturing: Note 3301942 fixes missing authentication and validates JSON Web Tokens in SAP Digital Manufacturing.
Which SAP components were affected in May 2023?
The May 2023 security notes covered several key components, ranging from analytics platforms to manufacturing and interface frameworks. The following table summarizes the primary security advisories released during this period.
| SAP Security Note | Component | Primary Risk |
|---|---|---|
| 3307833 | SAP BusinessObjects (BOBJ) | Critical Information Disclosure |
| 3328495 | 3D Visual Enterprise License Manager | Code Injection / Session Hijacking |
| 3326210 | SAPUI5 | Untrusted CSS Input Validation |
| 3217303 | BOBJ (CMC) | Information Disclosure |
| 3213507 | BOBJ (Monitoring DB) | Information Disclosure |
| 3301942 | SAP Digital Manufacturing | Missing Authentication / JWT |
How do I mitigate the License Manager vulnerability?
To address the vulnerabilities identified in Note 3328495, administrators must update the SAP 3D Visual Enterprise License Manager to version 15.0.1-sap2. If an immediate update is not feasible, SAP provides a temporary workaround that involves disabling the solution’s vulnerable web interface to prevent exploitation.
FAQ
What is the critical risk associated with SAP BusinessObjects?
Note 3307833 describes an information disclosure vulnerability that allows authenticated attackers with administrator privileges to compromise the login tokens of other users. This effectively grants the attacker the ability to access the platform using the credentials of the compromised user.
What specific vulnerabilities exist in the SAP 3D Visual Enterprise License Manager?
The vulnerabilities addressed in Note 3328495 include code injection, broken authentication, and session hijacking. These flaws present significant risks to the security of the license management environment and require either a patch to version 15.0.1-sap2 or the disabling of the web interface.
Are there updates for SAPUI5 or Digital Manufacturing?
Yes. Note 3326210 provides corrections for input validation concerning untrusted CSS in SAPUI5. Additionally, Note 3301942 addresses a missing authentication vulnerability and ensures proper validation of JSON Web Token signatures in SAP Digital Manufacturing.