SAP Security Patch Day – June 2023
Chapters
Share Article
Today is June’s SAP Security Patch Day, an important date for SAP customers as they receive the latest security patches from SAP’s Security & Response teams. According to SAP, 8 new Security Notes have been released. Additionally, there have been 5 updates to previously released Security Notes (source: SAP Digital Library). Our experts have reviewed a total of 13 SAP Security Notes published in June. It is essential for organizations to stay informed about these updates and ensure they apply all necessary patches to maintain the security of their SAP systems. You can find the full list of published notes in this section of the article.
Let’s take a closer look at the highlights of the June SAP Security Patch Day, an established practice for organizations, occurring every second Tuesday of the month. Ensuring the resilience of your SAP system against cyber threats requires diligent Patch Management, which should never be neglected.
SAP Security Patches June 2023
The highest CVSS (Common Vulnerability Scoring System) rating for the current SAP Security Patch Day is 8.2. This rating is attributed to SAP Security Note 3324285, which addresses the CVE-2023-33991 vulnerability titled “Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management)”. This vulnerability impacts a wide range of SAP_UI component versions, with the exception of SAP_UI 758, which already includes the necessary correction. Exploiting this vulnerability could allow a threat actor with user-level access to read data from the server. Successful attacks have the potential to jeopardize the integrity and confidentiality of the system.
It is crucial for organizations to promptly apply the necessary patches to mitigate the risks associated with this vulnerability and safeguard their SAP systems from potential breaches. By staying proactive in addressing security vulnerabilities, organizations can enhance their overall security posture and protect their critical business operations.
In addition to the aforementioned highlights, the Change and Transport System in SAP NetWeaver has also received attention in the June SAP Security Patch Day. Although it was assigned a low priority, Security Note 3325642 addresses a vulnerability that prevents a potential Denial of Service (DoS) attack.
This particular vulnerability can be exploited by an authenticated attacker with administrative privileges. The attacker can repeatedly execute a benchmark program with the intention of slowing down or completely halting the SAP Transport Management function. While the impact of this vulnerability is generally minor during normal operations, it could potentially be exploited to disrupt time-sensitive project go-lives.
While this vulnerability may not be considered critical, it is important for organizations to apply the corresponding patch provided by SAP. By doing so, organizations can mitigate the risk of potential DoS attacks and ensure the smooth functioning of their SAP Transport Management processes, preventing any disruptions to critical projects. Maintaining a proactive approach to patch management is crucial in maintaining the security and stability of SAP systems.
Summary by Severity
The June release contains a total of 13 patches for the following severities:
| Severity | Number |
|---|---|
|
Hot News
|
0 |
|
High
|
4 |
|
Medium
|
8 |
|
Low
|
1 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3319400 | [CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence
platform Priority: Correction with medium priority Released on: 09.05.2023 Components: BI-BIP-INV Category: Program error |
Medium | 6,1 |
| 2826092 | [CVE-2023-33986] Cross-Site Scripting (XSS) vulnerability in SAP CRM ABAP (Grantor Management) Priority: Correction with medium priority Released on: 13.06.2023 Components: CRM-IPS-BTX-APL Category: Program error |
Medium | 6,1 |
| 3318657 | [CVE-2023-33984] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Design Time
Repository) Priority: Correction with medium priority Released on: 13.06.2023 Components: BC-CTS-DTR Category: Program error |
Medium | 6,4 |
| 3331627 | [CVE-2023-33985] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Enterprise Portal) Priority: Correction with medium priority Released on: 13.06.2023 Components: EP-PIN-NAV Category: Program error |
Medium | 6,1 |
| 3325642 | [CVE-2023-32114] Denial of Service in SAP NetWeaver (Change and Transport System) Priority: Correction with low priority Released on: 13.06.2023 Components: BC-CTS-TMS-CTR Category: Program error |
Low | 2,7 |
| 3326210 | [CVE-2023-30743] Improper Neutralization of Input in SAPUI5 Priority: Correction with high priority Released on: 09.05.2023 Components: CA-UI5-CTR-BAL Category: Program error |
High | 7,1 |
| 3324285 | [CVE-2023-33991] Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management) Priority: Correction with high priority Released on: 13.06.2023 Components: CA-UI5-COR Category: Program error |
High | 8,2 |
| 3322800 | Update 1 to security note 3315971 - [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM
(WebClient UI) Priority: Correction with medium priority Released on: 13.06.2023 Components: CA-WUI-UI-TAG Category: Program error |
Medium | 6,1 |
| 3315971 | [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) Priority: Correction with medium priority Released on: 09.05.2023 Components: CA-WUI-UI-TAG Category: Program error |
Medium | 6,1 |
| 3102769 | [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse Priority: Correction with high priority Released on: 14.12.2021 Components: KM-KW-HTA Category: Program error |
High | 8,8 |
| 3142092 | [CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise
Search for Business Partner, Supplier and Customer) Priority: Correction with medium priority Released on: 08.02.2022 Components: LO-MD-BP Category: Program error |
Medium | 6,5 |
| 1794761 | [CVE-2023-32115] SQL Injection in Master Data Synchronization (MDS COMPARE TOOL) Priority: Correction with medium priority Released on: 23.05.2023 Components: AP-MD-BF-SYN Category: Program error |
Medium | 4,2 |
| 3301942 | [CVE-2023-2827] Missing Authentication in SAP Plant Connectivity and Production Connector for SAP Digital
Manufacturing Priority: Correction with high priority Released on: 23.05.2023 Components: MFG-PCO-DMC Category: Program error |
High | 7,9 |