SAP Security Notes: June 2023 Vulnerability Summary

The June 2023 SAP security updates addressed high-priority vulnerabilities across multiple platforms, including SAP UI5, SAP Knowledge Warehouse, and various NetWeaver-based applications. These patches primarily target cross-site scripting (XSS) and clickjacking risks, providing necessary input validation and configuration restrictions to protect SAP environments from malicious exploitation.

Executive Summary

The June 2023 SAP security update cycle focused on mitigating high-risk vulnerabilities that could lead to cross-site scripting (XSS) and clickjacking exploits. Critical updates were issued for SAP UI5, SAP Knowledge Warehouse (KW), and other key components including SAP BOBJ, CRM, and Enterprise Portal.

For SAP UI5, security notes 3324285 and 3326210 introduced input validation and CSS restrictions to prevent the storage of malicious scripts and the injection of untrusted CSS. SAP Knowledge Warehouse (Note 3102769) received updates to resolve an XSS vulnerability within the Internet Knowledge Servlet (IKS), with recommended workarounds involving component deactivation or URL filtering. Additionally, further patches were released for the Design Time Repository of SAP NetWeaver to address cross-site vulnerabilities. Security administrators are advised to review these notes to ensure the appropriate application of patches or temporary workarounds to secure their SAP infrastructure.

Key Takeaways

  • June 2023 SAP updates address high-priority XSS and clickjacking vulnerabilities across multiple products.
  • SAP UI5 patches (3324285, 3326210) implement input validation and CSS restrictions.
  • SAP Knowledge Warehouse (3102769) requires patching or deactivation of the Internet Knowledge Servlet.
  • Additional patches cover SAP BOBJ, CRM, Enterprise Portal, and NetWeaver Design Time Repository.

Which SAP components were patched in June 2023?

The June 2023 security cycle provided patches for several core SAP components and platforms to mitigate cross-site and injection vulnerabilities.

Note IDAffected ComponentVulnerability Type
3324285SAP UI5Cross-Site Scripting (XSS)
3326210SAP UI5Clickjacking / CSS Injection
3102769SAP Knowledge WarehouseCross-Site Scripting (XSS)
3319400SAP BOBJCross-Site Vulnerability
2826092SAP CRMCross-Site Vulnerability
3331627SAP Enterprise PortalCross-Site Vulnerability
3318657SAP NetWeaver (DTR)Cross-Site Vulnerability

How can SAP UI5 vulnerabilities be mitigated?

Vulnerabilities in SAP UI5 are addressed through patches 3324285 and 3326210, which enforce input validation and restrict untrusted CSS. As a temporary workaround for Note 3326210, administrators can remove the values of the “style” and “class” attributes in the HTML input of the sap.m.FormattedText control and other affected controls.

How do you address the SAP Knowledge Warehouse vulnerability?

The high-priority XSS vulnerability in the Internet Knowledge Servlet (IKS) of SAP Knowledge Warehouse is addressed in Note 3102769. Administrators can mitigate this risk by deactivating the IKS using the Config Tool. Alternatively, URL filters can be applied via the ICM or Web Dispatcher to block requests to the vulnerable component, as detailed in note 3221696.

Share the Post: