And again Cross-Site-Scripting…
Looking at the SAP Security Patch Day for June, there are 13 notes to be processed (8 new, 5 updated), 4 of which have a high priority: the CVSS value varies from 8.8 to 2.7 (out of a maximum of 10).
The following notes were processed for our SAP NetWeaver-based HCM system and their included components:
- Note 33242851 (CVSS value 8.2) and Note 33262102 (CVSS value 7.1) address cross-site scripting vulnerabilities in the SAPUI5 framework. The fix requires that the SAPUI5 framework is updated to the latest patch level. Note that this is not done in transaction SNOTE as with other ABAP-based notes. The necessary steps are described in note 31559483.
- Note 33228004 (CVSS value 6.1) is an update to a note discussed back in May5 here on the blog. Again, cross-site scripting is the issue and now output encoding is included at an appropriate point as a countermeasure. Since these safeguards cannot affect regular input processing, the affected class has been updated via the new note.
- Note 33256426 (CVSS value 2.7) prevents a so-called denial-of-service attack. Technically, the problematic report is shut down by simply commenting out the source code. Workload monitoring (transaction ST03N) can be used to validate whether the report was actually used. This is not the case in our landscape, so the note could be implemented without any problems.
With this, we are already through for this month – June was again a comparatively simple patch run.
————————————–
[2] 3326210 – [CVE-2023-30743] Falsche Neutralisierung der Eingabe in SAPUI5 – SAP for Me
[3] 3155948 – Aktualisierung der ABAP-SAPUI5-Patch-Version – SAP for Me