SAP Addresses Critical Flaw in ECC and S/4HANA Products with New Security Patches

July 12, 2023

On its July 2023 Security Patch Day, SAP, the German enterprise software maker, unveiled 16 fresh security notes. These updates also encompass revisions for two security notes that were previously released.

The most crucial among the newly released security notes is one that addresses a critical OS command injection vulnerability in SAP ECC and S/4HANA (IS-OIL). This flaw is identified as CVE-2023-36922 and has a CVSS score of 9.1. According to Onapsis, a firm specializing in enterprise application security, the vulnerability “allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter of a vulnerable transaction and program.”

The ERP Central Component (ECC) is a key component within SAP Business Suite, an enterprise resource planning software. If this security flaw is successfully exploited, it could potentially compromise the confidentiality, integrity, and availability of the susceptible system.

Another significant update in this month's SAP patches is an enhancement to a note from April 2018 that brings the latest version of Chromium to SAP Business Client. This security note, which has a CVSS score of 10, rectifies 56 bugs, including two of critical severity and 35 of high severity, as stated by Onapsis.

This week, SAP also released seven high-priority security notes. One of these is an update to a note from June 2023, which addresses a cross-site scripting (XSS) issue in UI5 (Variant Management). The other six high-priority notes tackle a request smuggling and request concatenation issue, a memory corruption bug in Web Dispatcher, a denial-of-service (DoS) vulnerability in SQL Anywhere, and an unauthenticated blind SSRF flaw and a header injection issue in Solution Manager (Diagnostics agent).

SAP also introduced nine security notes this week to rectify medium-severity vulnerabilities in various products including NetWeaver Process Integration, S/4HANA, Enable Now, NetWeaver AS ABAP and ABAP Platform, BusinessObjects, NetWeaver AS for Java, ERP Defense Forces and Public Security, and Business Warehouse and BW/4HANA.

While there is no evidence of these flaws being exploited in the wild, organizations are strongly encouraged to implement the available patches promptly. These known vulnerabilities in enterprise products could potentially be an appealing target for threat actors.

Latest News

• Critical Remote Code Execution Vulnerability Discovered in Fortinet's FortiOS and FortiProxy Devices
• Microsoft Reveals Unpatched Office Zero-Day Exploited During NATO Summit
• Microsoft's July 2023 Patch Tuesday Addresses 132 Vulnerabilities, Including 6 Zero-Days
• Apple's Emergency Security Updates Disrupt Web Browsing on Some Sites
• Critical Exploit in VMware vRealize: A Call for Urgent Patching