Other official information and services: www.belgium.be

WARNING: CRITICAL VULNERABILITIES IN MULTIPLE SAP BUSINESS TECHNOLOGY PLATFORM (BTP) SECURITY SERVICES INTEGRATION LIBRARIES

Referentie:

Advisory #2023-149

Versie:

1.0

Geïmpacteerde software:

SAP BTP Security Services Integration Library ([Node.js] @sap/xssec – versions < 3.6.0

SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0

SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) – versions < 2.17.0

SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) – versions 3.0.0 and < 3.3.0

SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) – versions < 0.17.0

Type:

Improper Privilege Management (CWE-269)

CVE/CVSS:

CVE-2023-49583
CVSS score: 9.1 (critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVE-2023-50422
CVSS score: 9.1 (critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVE-2023-50423
CVSS score: 9.1 (critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVE-2023-50424
CVSS score: 9.1 (critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Datum:

15/12/2023

Bronnen

https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/

Risico’s

SAP BTP Security Services Integration Libraries for Node.js, Python, Java and Go all contain high severity vulnerabilities which could allow an unauthenticated remote attacker to escalate privileges on the targeted system.

Beschrijving

Due to improper privilege management within the SAP BTP Security Services Integration Libraries for Node.js, Python, Java and Go, an attacker could be allowed, under certain conditions, to perform an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

Aanbevolen acties

SAP recommends updating your SAP Business Technology Platform (BTP) Security Services Integration Libraries to the latest version to stay patched:

SAP BTP Security Services Integration Library ([Node.js] @sap/xssec – version 3.6.0
SAP BTP Security Services Integration Library ([Python] sap-xssec) - version 4.1.0
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) – version 2.17.0
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) – version 3.3.0
SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) – version 0.17.0

Referenties

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10
https://nvd.nist.gov/vuln/detail/CVE-2023-49583
https://nvd.nist.gov/vuln/detail/CVE-2023-50422
https://nvd.nist.gov/vuln/detail/CVE-2023-50423
https://nvd.nist.gov/vuln/detail/CVE-2023-50424