The July 2023 SAP security updates address critical vulnerabilities, including OS command injection in SAP ECC and S/4HANA (note 3350297), buffer overflow and HTTP request smuggling in SAP Web Dispatcher (notes 3340735 and 3233899), and blind SSRF and header injection in the Diagnostics Agent (notes 3352058 and 3348145).
The July 2023 SAP security advisories focus on patching critical vulnerabilities across various SAP components, including core ERP systems, the Web Dispatcher, and the Diagnostics Agent. Organizations running SAP ECC or S/4HANA must address a critical OS command injection vulnerability, while those using SAP Web Dispatcher must mitigate risks associated with HTTP/2 protocol flaws. Additionally, users of the Diagnostics Agent in SAP Solution Manager need to apply updates to resolve SSRF and header injection issues. This summary covers the essential notes released in July 2023, providing context on the affected components and the necessary actions to secure these systems against potential exploitation.
Key Takeaways
- Note 3350297 patches critical OS command injection in SAP ECC and S/4HANA, specifically for systems with the IS-OIL component enabled.
- Notes 3340735 and 3233899 address buffer overflow and HTTP request smuggling vulnerabilities in SAP Web Dispatcher affecting the HTTP/2 protocol.
- Notes 3352058 and 3348145 resolve blind SSRF and header injection vulnerabilities in the Diagnostics Agent by updating the LM-SERVICE component.
July 2023 SAP Vulnerability Overview
The following table summarizes the key vulnerabilities addressed in the July 2023 SAP Security Notes.
| Vulnerability Type | Affected Component | Note Numbers |
|---|---|---|
| OS Command Injection | SAP ECC, S/4HANA | 3350297 |
| Buffer Overflow / Request Smuggling | SAP Web Dispatcher | 3340735, 3233899 |
| Blind SSRF / Header Injection | Diagnostics Agent | 3352058, 3348145 |
How do I address the OS command injection in SAP ECC and S/4HANA?
You can address the critical OS command injection vulnerability by applying hot news note 3350297. This note is applicable specifically to systems where the IS-OIL component is enabled. Administrators should follow the instructions provided in the note to confirm if the component and necessary supporting switches are enabled in their environment.
How do I mitigate HTTP/2 vulnerabilities in SAP Web Dispatcher?
You can mitigate buffer overflow and HTTP request smuggling vulnerabilities by addressing notes 3340735 and 3233899, which impact the HTTP/2 protocol. These vulnerabilities only affect installations supporting HTTP/2. Standalone Web Dispatcher versions 7.73 and later support HTTP/2 by default, while version 7.54 is only impacted if the parameter icm/HTTP/support_http2 is set to TRUE. Version 7.45 is not affected as it lacks HTTP/2 support.
How do I fix SSRF and header injection in the Diagnostics Agent?
You can resolve blind SSRF and header injection vulnerabilities in the Diagnostics Agent by upgrading the LM-SERVICE component within your SAP Solution Manager instance. Detailed instructions for upgrading this component to the required patch level are provided in Note 2686969.
Frequently Asked Questions
Which SAP versions are affected by the OS command injection vulnerability?
The vulnerability described in note 3350297 affects SAP ECC and S/4HANA systems, provided that the IS-OIL component is currently enabled.
Are all versions of SAP Web Dispatcher affected by the HTTP/2 vulnerabilities?
No, only installations that support HTTP/2 are affected. Version 7.45 is not affected. Version 7.54 is only impacted if the parameter icm/HTTP/support_http2 is explicitly set to TRUE.
How do I update the LM-SERVICE component?
The update process for the LM-SERVICE component, which addresses vulnerabilities in the Diagnostics Agent, is outlined in Note 2686969.