The September 2023 SAP Security Notes address critical and high-priority vulnerabilities affecting the SAP BusinessObjects Intelligence Platform (BOBJ) and the SAP Common Crypto Library. These patches remediate risks including code injection, information disclosure, cross-site scripting (XSS), and denial of service (DoS) attacks that could compromise system integrity.
Executive Summary
In September 2023, SAP released critical security updates addressing several significant vulnerabilities across its product suite. The most severe issues impact the SAP BusinessObjects Intelligence Platform (BOBJ), specifically involving command injection, information disclosure, and cross-site scripting (XSS) within the platform’s components. Additionally, a high-risk buffer overflow vulnerability was identified in the SAP Common Crypto Library, which could lead to a denial of service if exploited.
Security teams should prioritize patching these systems immediately. For BOBJ, updates address flaws in the Enterprise component and the Promotion Management tool, where sensitive information was previously exposed. The patch for the Web Intelligence HTML interface resolves an XSS vulnerability caused by improper file type validation. Meanwhile, the SAP Common Crypto Library vulnerability requires an upgrade to version 8.5.49 or higher to prevent potential application crashes caused by corrupted data packages. Organizations are advised to review these notes to ensure their SAP environment remains secure against these documented threats.
Key Takeaways
- SAP released patches for critical code injection and information disclosure vulnerabilities in the SAP BusinessObjects Intelligence Platform.
- Note 3320355 provides a temporary workaround for information disclosure in Promotion Management by restricting folder access.
- Note 3370490 fixes an XSS vulnerability in the BOBJ Web Intelligence HTML interface caused by insufficient file type validation.
- The SAP Common Crypto Library requires an upgrade to 8.5.49 or higher to mitigate a high-risk buffer overflow and DoS vulnerability.
What are the critical vulnerabilities in BOBJ?
Critical vulnerabilities in the SAP BusinessObjects Intelligence Platform (BOBJ) include command injection and information disclosure risks addressed by notes 3245526 and 3320355. Note 3245526, re-released in September, patches a command injection flaw in the Enterprise component of BOBJ versions 4.2 and 4.3 that allows for privilege escalation. Note 3320355 prevents information disclosure from the Promotion Management tool by removing sensitive data from client responses.
How do I mitigate the BOBJ Web Intelligence XSS vulnerability?
The cross-site scripting (XSS) vulnerability in the BOBJ Web Intelligence HTML interface, addressed in note 3370490, is mitigated by applying the provided security patch. This patch blocks unauthorized file types, preventing attackers from modifying content types or extensions to access sensitive data during file uploads.
How do I fix the SAP Common Crypto Library vulnerability?
To mitigate the high-risk buffer overflow vulnerability in the SAP Common Crypto Library described in note 3327896, customers must upgrade to CommonCryptoLib version 8.5.49 or higher. This vulnerability, which could be exploited to trigger a denial of service, stems from a parser error when processing a manipulated data package with a corrupted SNC NAME ASN.1 structure.
Summary of September 2023 SAP Security Notes
The following table summarizes the key vulnerabilities and their respective remediation actions for September 2023.
| SAP Note | Component | Vulnerability Type | Remediation Action |
|---|---|---|---|
| 3245526 | BOBJ Enterprise | Code Injection | Apply Patch |
| 3320355 | BOBJ Promotion Mgmt | Info Disclosure | Apply Patch / Restrict Access |
| 3370490 | BOBJ Web Intelligence | XSS | Apply Patch |
| 3327896 | Common Crypto Library | Buffer Overflow | Upgrade to 8.5.49+ |
FAQ
What is the risk associated with SAP Note 3327896?
Note 3327896 involves a high-risk buffer overflow vulnerability in the SAP Common Crypto Library. An attacker can exploit this by sending a manipulated data package with a corrupted SNC NAME ASN.1 structure, which triggers a parser error and results in a denial of service, crashing the application.
Can I mitigate the Promotion Management information disclosure without patching?
Yes, note 3320355 suggests a temporary workaround for the information disclosure vulnerability. Administrators can prevent exploitation by removing rights to the promotion job folder from users who do not require access to that specific area of the application.
Which BOBJ versions are impacted by the command injection vulnerability?
The command injection vulnerability addressed in note 3245526 impacts the Enterprise component within BOBJ versions 4.2 and 4.3. Administrators running these versions should apply the update provided in the re-released note.