SAP Security Patch Day – May 2023
Chapters
Share Article
Today is another SAP Security Patch Day, the 5th of the year! In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Another SNote, 3117978 – [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service) was once more updated.
Besides the updated notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects.
Before we dive into the highlights of the monthly recurring SAP Security Patch Day, which takes place every second Tuesday, we want to show you a way to make your SAP system resilient. An SAP system that is protected not only by reactive security measures but by a strategic and holistic approach can achieve a state of cyber resilience.
We covered the topic of SAP Cyber Resilience in this blog article.
In summary, it is not about achieving a better security posture through reactive individual measures, but through a multi-layered approach that combines the security domains of system hardening and continuous compliance monitoring, timely patching of security vulnerabilities, and real-time monitoring. Customers who analyze and fix vulnerabilities in their own ABAP/4 developments also close these -often unknown- attack vectors.
When it comes to the question of whether SAP Cyber Resilience protects against zero-day vulnerabilities, there are different opinions. What is correct, however, is that the intelligent combination of defense lines leads to the early detection of even a zero-day vulnerability that is exploited by the attacker in combination with other vulnerabilities or even prevents it from working altogether. Please feel free to contact us if you would like to learn more about this topic.
SAP Security Patches May 2023
SAP has released 20 security updates in the May 2023 Security Patch Day, out of which six (6) are Security Notes for SAP Business Objects.
We highly recommend all customers of this product line to review and apply all relevant security patches. The highest CVSS score of 9.1 is assigned to Patch 3307833, which addresses [CVE-2023-28762] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Console).
A HotNews patch (3328495) has been released for multiple vulnerabilities associated with the Reprise License Manager 14.2 component, used with the SAP 3D Visual Enterprise License Manager. The Reprise License Manager is a third-party software component that provides license management services for various applications, including the SAP 3D Visual Enterprise product. It allows software vendors to manage their licensing models and provides end-users with a way to activate, manage, and track their licenses. The Reprise License Manager has been found to have vulnerabilities in the past, which can be exploited by attackers to gain unauthorized access to systems or steal sensitive information. Therefore, it’s important to apply the latest security patches for this component to ensure the security of your systems.
In addition, there are seven (7) Security Patches with Priority High and various others classified as Medium. We strongly suggest reviewing all security patches, even those with a lower priority, as a successful attack typically consists of the exploitation of a chain of existing vulnerabilities.
Summary by Severity
The May release contains a total of 20 patches for the following severities:
| Severity | Number |
|---|---|
|
Hot News
|
3 |
|
High
|
7 |
|
Medium
|
7 |
|
Low
|
3 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3117978 | [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA
service) Priority: Correction with low priority Released on: 11.04.2023 Components: BC-SRV-AIF Category: Program error |
Low | 3,1 |
| 3326210 | [CVE-2023-30743] Improper Neutralization of Input in SAPUI5 Priority: Correction with high priority Released on: 09.05.2023 Components: CA-UI5-CTR-BAL Category: Program error |
High | 7,1 |
| 3315979 | [CVE-2023-29188] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI Priority: Correction with medium priority Released on: 09.05.2023 Components: CA-WUI-CON Category: Program error |
Medium | 5,4 |
| 3309935 | [CVE-2023-30741] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence
platform Priority: Correction with medium priority Released on: 09.05.2023 Components: BI-BIP-INV Category: Program error |
Medium | 6,1 |
| 3313484 | [CVE-2023-30740] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence
platform Priority: Correction with medium priority Released on: 09.05.2023 Components: BI-BIP-INV Category: Program error |
Medium | 6,3 |
| 3328495 | Multiple vulnerabilities associated with Reprise License Manager 14.2 component used with SAP 3D Visual
Enterprise License Manager Priority: HotNews Released on: 09.05.2023 Components: CA-VE Category: Program error |
Hot News | 9,8 |
| 3317453 | [CVE-2023-30744] Improper access control during application start-up in SAP AS NetWeaver JAVA Priority: Correction with high priority Released on: 09.05.2023 Components: BC-JAS-EJB Category: Program error |
High | 8,2 |
| 3315971 | [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) Priority: Correction with medium priority Released on: 09.05.2023 Components: CA-WUI-UI-TAG Category: Program error |
Medium | 6,1 |
| 3307833 | [CVE-2023-28762] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central
Management Console) Priority: HotNews Released on: 09.05.2023 Components: BI-BIP-SRV Category: Program error |
Hot News | 9,1 |
| 3323415 | [CVE-2023-29080] Privilege escalation vulnerability in SAP IBP, add-in for Microsoft Excel Priority: Correction with high priority Released on: 09.05.2023 Components: SCM-IBP-XLS Category: Program error |
High | 8,2 |
| 3320467 | [CVE-2023-32113] Information Disclosure vulnerability in SAP GUI for Windows Priority: Correction with high priority Released on: 09.05.2023 Components: BC-FES-GUI Category: Program error |
High | 7,5 |
| 3320145 | Denial of service (DOS) in SAP Commerce Priority: Correction with high priority Released on: 09.05.2023 Components: CEC-COM-CPS-OTH Category: Program error |
High | 7,5 |
| 3319400 | [CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence
platform Priority: Correction with medium priority Released on: 09.05.2023 Components: BI-BIP-INV Category: Program error |
Medium | 6,1 |
| 3302595 | [CVE-2023-28764] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence
platform Priority: Correction with low priority Released on: 09.05.2023 Components: BI-BIP-IDT Category: Program error |
Low | 3,7 |
| 3300624 | [CVE-2023-32111] Memory Corruption vulnerability in SAP PowerDesigner (Proxy) Priority: Correction with high priority Released on: 09.05.2023 Components: BC-SYB-PD Category: Program error |
High | 7,5 |
| 3312892 | [CVE-2023-31407] Cross-Site Scripting (XSS) vulnerability in SAP Business Planning and
Consolidation Priority: Correction with medium priority Released on: 09.05.2023 Components: EPM-BPC-NW-DOC Category: Program error |
Medium | 5,4 |
| 2335198 | [CVE-2023-32112] Missing Authorization Check in Vendor Master Hierarchy Priority: Correction with low priority Released on: 09.05.2023 Components: LO-MD-BP-VM Category: Program error |
Low | 2,8 |
| 3321309 | Information Disclosure vulnerability in SAP Commerce (Backoffice) Priority: Correction with high priority Released on: 09.05.2023 Components: CEC-COM-CPS-OTH Category: Program error |
High | 7,5 |
| 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client Priority: HotNews Released on: 10.04.2018 Components: BC-FES-BUS-DSK Category: Program error |
Hot News | 10,0 |
| 3038911 | [CVE-2023-31404] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central
Management Service) Priority: Correction with medium priority Released on: 09.05.2023 Components: BI-BIP-ADM Category: Program error |
Medium | 5,0 |