SAP Security Notes: May 2023 Patch Summary

In May 2023, SAP released critical security updates addressing vulnerabilities across several platforms, most notably SAP BusinessObjects (BOBJ) and the SAP 3D Visual Enterprise License Manager. These updates include patches for information disclosure, code injection, broken authentication, and session hijacking risks that require immediate attention from security administrators.

Executive Summary

The May 2023 SAP security patch cycle focused on critical vulnerabilities affecting data integrity and authentication. The most significant update, Note 3307833, addresses a critical information disclosure vulnerability in the SAP BusinessObjects Business Intelligence (BOBJ) platform, versions 4.2 and 4.3. This flaw allows authenticated attackers with administrator privileges to steal login tokens and impersonate other users.

Additionally, Note 3328495 targets multiple severe vulnerabilities—including code injection, broken authentication, and session hijacking—within the SAP 3D Visual Enterprise License Manager. Administrators are advised to update to version 15.0.1-sap2 or implement the provided workaround, which involves disabling the vulnerable web interface. Other notable updates include patches for untrusted CSS input validation in SAPUI5, additional BOBJ information disclosure risks, and authentication gaps in SAP Digital Manufacturing. Organizations should review these advisories to ensure their SAP environments are protected against potential exploitation.

Key Takeaways

  • BOBJ Critical Risk: Note 3307833 patches a critical information disclosure vulnerability in SAP BusinessObjects versions 4.2 and 4.3.
  • License Manager Vulnerabilities: Note 3328495 addresses code injection and session hijacking in SAP 3D Visual Enterprise License Manager.
  • Urgent Updates: Organizations should update to version 15.0.1-sap2 for the License Manager or disable the affected web interface.
  • Digital Manufacturing: Note 3301942 fixes missing authentication and validates JSON Web Tokens in SAP Digital Manufacturing.

Which SAP components were affected in May 2023?

The May 2023 security notes covered several key components, ranging from analytics platforms to manufacturing and interface frameworks. The following table summarizes the primary security advisories released during this period.

SAP Security NoteComponentPrimary Risk
3307833SAP BusinessObjects (BOBJ)Critical Information Disclosure
33284953D Visual Enterprise License ManagerCode Injection / Session Hijacking
3326210SAPUI5Untrusted CSS Input Validation
3217303BOBJ (CMC)Information Disclosure
3213507BOBJ (Monitoring DB)Information Disclosure
3301942SAP Digital ManufacturingMissing Authentication / JWT

How do I mitigate the License Manager vulnerability?

To address the vulnerabilities identified in Note 3328495, administrators must update the SAP 3D Visual Enterprise License Manager to version 15.0.1-sap2. If an immediate update is not feasible, SAP provides a temporary workaround that involves disabling the solution’s vulnerable web interface to prevent exploitation.

FAQ

What is the critical risk associated with SAP BusinessObjects?
Note 3307833 describes an information disclosure vulnerability that allows authenticated attackers with administrator privileges to compromise the login tokens of other users. This effectively grants the attacker the ability to access the platform using the credentials of the compromised user.

What specific vulnerabilities exist in the SAP 3D Visual Enterprise License Manager?
The vulnerabilities addressed in Note 3328495 include code injection, broken authentication, and session hijacking. These flaws present significant risks to the security of the license management environment and require either a patch to version 15.0.1-sap2 or the disabling of the web interface.

Are there updates for SAPUI5 or Digital Manufacturing?
Yes. Note 3326210 provides corrections for input validation concerning untrusted CSS in SAPUI5. Additionally, Note 3301942 addresses a missing authentication vulnerability and ensures proper validation of JSON Web Token signatures in SAP Digital Manufacturing.

Share the Post: