Other official information and services: www.belgium.be

WARNING: CRITICAL VULNERABILITIES IN MULTIPLE SAP BUSINESS TECHNOLOGY PLATFORM (BTP) SECURITY SERVICES INTEGRATION LIBRARIES

Reference:

Advisory #2023-149

Version:

1.0

Affected software:

SAP BTP Security Services Integration Library ([Node.js] @sap/xssec – versions < 3.6.0

SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0

SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) – versions < 2.17.0

SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) – versions 3.0.0 and < 3.3.0

SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) – versions < 0.17.0

Type:

Improper Privilege Management (CWE-269)

CVE/CVSS:

CVE-2023-49583 CVSS score: 9.1 (critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2023-50422 CVSS score: 9.1 (critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2023-50423 CVSS score: 9.1 (critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2023-50424 CVSS score: 9.1 (critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Date:

15/12/2023

Sources

https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/

Risks

SAP BTP Security Services Integration Libraries for Node.js, Python, Java and Go all contain high severity vulnerabilities which could allow an unauthenticated remote attacker to escalate privileges on the targeted system.

Description

Due to improper privilege management within the SAP BTP Security Services Integration Libraries for Node.js, Python, Java and Go, an attacker could be allowed, under certain conditions, to perform an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

Recommended Actions

SAP recommends updating your SAP Business Technology Platform (BTP) Security Services Integration Libraries to the latest version to stay patched:

SAP BTP Security Services Integration Library ([Node.js] @sap/xssec – version 3.6.0
SAP BTP Security Services Integration Library ([Python] sap-xssec) - version 4.1.0
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) – version 2.17.0
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) – version 3.3.0
SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) – version 0.17.0

References

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10
https://nvd.nist.gov/vuln/detail/CVE-2023-49583
https://nvd.nist.gov/vuln/detail/CVE-2023-50422
https://nvd.nist.gov/vuln/detail/CVE-2023-50423
https://nvd.nist.gov/vuln/detail/CVE-2023-50424