개요
SAP 제품에서 발생하는 취약점을 해결하는 업데이트가 제공되었습니다. 해당하는 버전 사용자는 최신 버전으로 업데이트하시기 바랍니다.
대상 제품
CVE-2023-49583
- SAP BTP Security Services Integration Library @sap/xssec 3.6.0 미만의 버전
CVE-2023-50422
- SAP BTP Security Services Integration Library cloud-security-services-integration-library 2.17.0 미만의 버전
- SAP BTP Security Services Integration Library cloud-security-services-integration-library 3.0.0부터 3.3.0 미만의 버전
CVE-2023-50423
- SAP BTP Security Services Integration Library sap-xssec 4.1.0 미만의 버전
CVE-2023-50424
- SAP BTP Security Services Integration Library cloud-security-client-go 0.17.0 미만의 버전
CVE-2024-21737
- SAP Application Interface Framework File Adapter 702 버전
CVE-2024-22125
- SAP GUI connector for Microsoft Edge 1.0 버전
CVE-2024-21735
- SAP LT Replication Server S4CORE 103, 104, 105, 106, 107, 108 버전
해결된 취약점
SAP BTP Security Services Integration Library @sap/xssec 에서 발생하는 권한 상승 취약점 (CVE-2023-49583)
SAP BTP Security Services Integration Library cloud-security-services-integration-library 에서 발생하는 권한 상승 취약점 (CVE-2023-50422)
SAP BTP Security Services Integration Library sap-xssec 에서 발생하는 권한 상승 취약점 (CVE-2023-50423)
SAP BTP Security Services Integration Library cloud-security-client-go 에서 발생하는 권한 상승 취약점 (CVE-2023-50424)
SAP Application Interface Framework File Adapter 에서 발생하는 권한 상승 취약점 (CVE-2024-21737)
SAP GUI connector for Microsoft Edge 에서 발생하는 중요 정보에 접근 가능한 취약점 (CVE-2024-22125)
SAP LT Replication Server S4CORE 에서 발생하는 권한 상승 취약점 (CVE-2024-21735)
취약점 패치
2024년 1월 9일 업데이트를 통해 취약점 패치가 제공되었습니다. 참고 사이트의 안내에 따라 최신 취약점 패치 버전으로 업데이트 하시기 바랍니다.
CVE-2023-49583
- SAP BTP Security Services Integration Library @sap/xssec 3.6.0 버전
CVE-2023-50422
- SAP BTP Security Services Integration Library cloud-security-services-integration-library 2.17.0 이상의 버전부터 3.0.0 미만의 버전
- SAP BTP Security Services Integration Library cloud-security-services-integration-library 3.3.0 이상의 버전
CVE-2023-50423
- SAP BTP Security Services Integration Library sap-xssec 4.1.0 버전
CVE-2023-50424
- SAP BTP Security Services Integration Library cloud-security-client-go 0.17.0 버전
CVE-2024-21737
- SAP Application Interface Framework File Adapter 702 이외의 버전
CVE-2024-22125
- SAP GUI connector for Microsoft Edge 1.0 이외의 버전
CVE-2024-21735
- SAP LT Replication Server S4CORE 103, 104, 105, 106, 107, 108 이외의 버전
참고 사이트
[1] SAP Security Patch Day –January2024
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10
[2] CVE-2023-49583
https://www.cve.org/CVERecord?id=CVE-2023-49583
[3] CVE-2023-49583 Detail
https://nvd.nist.gov/vuln/detail/CVE-2023-49583#range-10207563
[4] CVE-2023-50422
https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73
[5] CVE-2023-50422 Detail
https://nvd.nist.gov/vuln/detail/CVE-2023-50422
[6] CVE-2023-50423
https://github.com/SAP/cloud-pysec/security/advisories/GHSA-6mjg-37cp-42×5
[7] CVE-2023-50423 Detail
https://nvd.nist.gov/vuln/detail/CVE-2023-50423
[8] CVE-2023-50424
https://github.com/SAP/cloud-security-client-go/security/advisories/GHSA-m8rw-rcpq-2vp2
[9] CVE-2023-50424 Detail
https://nvd.nist.gov/vuln/detail/CVE-2023-50424
[10] CVE-2024-21737 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-21737#match-10211840
[11] Under certain conditions the Microsoft Edge browser…
https://github.com/advisories/GHSA-8hc8-mhjh-c5rj
[12] CVE-2024-22125 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-22125
[13] CVE-2024-21735 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-21735
[14] SAP LT Replication Server – version S4CORE 103, S4CORE…
https://github.com/advisories/GHSA-hwv9-7vf2-6394