SAP’s December 2023 security update includes critical patches for an OS command injection vulnerability in SAP S/4HANA and ECC, and high-risk vulnerabilities in the SAP Business Technology Platform (BTP). Organizations should prioritize the review and application of these notes to mitigate significant security risks.
This advisory summarizes the key vulnerabilities and the required actions for SAP customers. The most critical issues involve HotNews notes for systems with active IS-OIL components and privilege escalation flaws in BTP integration libraries. Other high-priority notes address information disclosure, access control, and cross-site scripting vulnerabilities across various SAP products. Applying these patches promptly is essential to protect system confidentiality, integrity, and availability.
Key Takeaways
- Critical OS Command Injection: Notes 3350297 and 3399691 fix a critical OS command injection flaw in S/4HANA and ECC for IS-OIL users.
- High-Risk BTP Flaws: Note 3411067 addresses multiple high-risk privilege escalation vulnerabilities in SAP BTP integration libraries.
- NetWeaver Information Disclosure: Note 3385711 patches an information disclosure vulnerability in SAP NetWeaver AS ABAP affecting SAP GUI clients.
- Commerce and BusinessObjects: Notes 3394567 and 3382353 correct access control and XSS vulnerabilities in SAP Commerce Cloud and BusinessObjects.
- Verification Required: Customers must verify if the IS-OIL component is active to determine if the critical command injection notes are applicable.
What Was the Critical OS Command Injection Vulnerability?
SAP released HotNews notes 3350297 and 3399691 to address a critical OS command injection vulnerability in SAP S/4HANA and ECC. This vulnerability specifically affects installations where the IS-OIL software component is active. Successful exploitation could allow an authenticated attacker to inject operating system commands, potentially leading to a complete compromise of the system’s data and availability. The patches correct this by removing the “Test Selected Routines” option in the ROIBQCICALLTEST report and blocking the direct execution of the OIBQCI_SERVER Function Module.
How Do I Know If I Am Affected by the IS-OIL Vulnerability?
The OS command injection vulnerability is only relevant for systems with active IS-OIL components. You can determine if your system is affected by using the transaction SFWBROWSER. Within this transaction, you need to check the status of two switches: OIBQCI in BUSINESSFUNCTIONBASISCOM and OI0COMMON2 in COMMODITYMGMT&BULKLOGISTIC. If both of these switches are turned on, the IS-OIL component is considered active, and the security notes are applicable to your system. The notes are not relevant if only the OI0COMMON_2 switch is active.
What Were the High-Risk Vulnerabilities in SAP BTP?
Note 3411067 corrects multiple high-risk vulnerabilities in the SAP Business Technology Platform (BTP) that could lead to privilege escalation. These vulnerabilities exist in security integration libraries and programming infrastructure used for authentication and authorization checks with services like XSUAA and Identity Authentication Service (IAS). The flaw could allow an unauthenticated attacker to gain arbitrary permissions within an application. SAP advises all customers with applications developed on SAP BTP to update the specified integration libraries and infrastructure to the recommended versions to mitigate this threat.
What Other Notable Vulnerabilities Were Patched?
SAP addressed several other significant vulnerabilities in the December 2023 patch release.
- Information Disclosure (Note 3385711): This note provides a server-side fix for an information disclosure vulnerability in SAP NetWeaver AS ABAP. The flaw could be exploited through SAP GUI for Windows and Java. The solution introduces an authentication check to prevent unauthorized access to information.
- Access Control (Note 3394567): This patch corrects an improper access control vulnerability in SAP Commerce Cloud.
- Cross-Site Scripting (Note 3382353): This note resolves a cross-site scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence.
Frequently Asked Questions (FAQ)
What was the most critical SAP vulnerability in December 2023?
The most critical issue was an OS command injection vulnerability in SAP S/4HANA and ECC, addressed by HotNews notes 3350297 and 3399691. This flaw affects systems with the IS-OIL component and carries a high risk of system compromise.
Which SAP products were affected by the December 2023 notes?
Affected products include SAP S/4HANA, SAP ECC (with IS-OIL), SAP Business Technology Platform (BTP), SAP NetWeaver AS ABAP, SAP GUI, SAP Commerce Cloud, and SAP BusinessObjects Business Intelligence.
How do I fix the privilege escalation vulnerability in SAP BTP?
To fix the vulnerabilities described in note 3411067, customers must update the relevant security integration libraries and programming infrastructure on SAP BTP to the versions recommended by SAP.