WARNING: CRITICAL VULNERABILITIES IN MULTIPLE SAP BUSINESS TECHNOLOGY PLATFORM (BTP) SECURITY SERVICES INTEGRATION LIBRARIES
CVE-2023-49583 CVSS score: 9.1 (critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2023-50422 CVSS score: 9.1 (critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2023-50423 CVSS score: 9.1 (critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2023-50424 CVSS score: 9.1 (critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Sources
https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/
Risks
SAP BTP Security Services Integration Libraries for Node.js, Python, Java and Go all contain high severity vulnerabilities which could allow an unauthenticated remote attacker to escalate privileges on the targeted system.
Description
Due to improper privilege management within the SAP BTP Security Services Integration Libraries for Node.js, Python, Java and Go, an attacker could be allowed, under certain conditions, to perform an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Recommended Actions
SAP recommends updating your SAP Business Technology Platform (BTP) Security Services Integration Libraries to the latest version to stay patched:
- SAP BTP Security Services Integration Library ([Node.js] @sap/xssec – version 3.6.0
- SAP BTP Security Services Integration Library ([Python] sap-xssec) - version 4.1.0
- SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) – version 2.17.0
- SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) – version 3.3.0
- SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) – version 0.17.0
References
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10
https://nvd.nist.gov/vuln/detail/CVE-2023-49583
https://nvd.nist.gov/vuln/detail/CVE-2023-50422
https://nvd.nist.gov/vuln/detail/CVE-2023-50423
https://nvd.nist.gov/vuln/detail/CVE-2023-50424