SAP Security Notes: August 2023 Vulnerability Summary

The August 2023 SAP security updates address multiple critical vulnerabilities, most notably in SAP PowerDesigner, which faces a 9.8/10 CVSS-rated access control flaw. Other patches resolve issues in SAP Message Server, SAP BusinessObjects Business Intelligence (BOBJ), SAP SQL Anywhere, and SAP Commerce Cloud, requiring immediate attention to prevent unauthorized access and system compromise.

Executive Summary

The August 2023 release of SAP security notes addresses high-risk vulnerabilities across several core enterprise products. The most significant update concerns SAP PowerDesigner, where note 3341460 patches critical access control and information disclosure flaws that could allow attackers to execute arbitrary database queries or access password hashes. Additionally, SAP SQL Anywhere, often bundled with PowerDesigner, received a patch for a code injection vulnerability.

Beyond the PowerDesigner ecosystem, SAP has issued critical guidance for the SAP Message Server to mitigate an authentication bypass vulnerability. Organizations using SAP BusinessObjects Business Intelligence (BOBJ) must address binary hijack and denial of service vulnerabilities, while SAP Commerce Cloud users are advised to update their authentication configurations to prevent unauthorized access via empty passphrases. Security teams should prioritize applying these patches and configuration changes to maintain the integrity of their SAP environments.

Key Takeaways

  • SAP PowerDesigner: Critical vulnerabilities allow arbitrary query execution and information disclosure. Upgrade to version 16.7 SP06 PL04 or 16.7 SP07.
  • SAP SQL Anywhere: Code injection vulnerability permits local attackers to control the application. Patch by upgrading to SP07 PL01.
  • SAP Message Server: High-risk authentication bypass addressed via kernel patches and specific profile parameter hardening.
  • SAP Commerce Cloud: Authenticating with an empty passphrase is now blocked by default; update configuration property user.password.acceptEmpty.

Critical Vulnerabilities and Remediation Summary

The following table summarizes the key SAP security vulnerabilities and required actions identified in the August 2023 security notes.

SAP ProductVulnerability TypeRemediation Action
SAP PowerDesignerAccess Control / Info DisclosureUpgrade to 16.7 SP06 PL04 or 16.7 SP07
SAP SQL AnywhereCode InjectionUpgrade to SP07 PL01
SAP Message ServerAuthentication BypassApply kernel patches; set system/secure_communication to ON
SAP BusinessObjectsBinary Hijack / DoSApply patches from notes 3317710 and 3312047
SAP Commerce CloudAuthentication BypassChange user.password.acceptEmpty to false

What are the critical risks in SAP PowerDesigner?

SAP PowerDesigner is impacted by note 3341460, which covers critical vulnerabilities including an access control flaw (CVE-2023-37483) with a CVSS score of 9.8/10. Attackers can exploit this to execute arbitrary queries against back-end databases via proxies. The update also addresses an information disclosure vulnerability that could expose password hashes in client memory. Administrators should upgrade to version 16.7 SP06 PL04 or 16.7 SP07 to resolve these issues.

How do I secure the SAP Message Server?

Note 3344295 addresses a high-risk authentication bypass vulnerability in the SAP Message Server. While applying the specified kernel patches is the primary remediation, you can further mitigate potential exploits by setting the profile parameter system/secure_communication to ON, protecting the internal port of the Message Server, and ensuring the trace level is set to a value lower than 2.

What changes were made to SAP Commerce Cloud authentication?

Note 3346500 improves security in SAP Commerce Cloud by removing the ability for users to authenticate with an empty passphrase. This was achieved by changing the default value of the configuration property user.password.acceptEmpty from true to false. Organizations should review their current configuration to ensure this change does not impact legitimate users.

Share the Post: