SAP Security Patch Day – October 2023

Another month has passed and it is SAP Security Patch Day again. Like every 2nd Tuesday, SAP brings a new release of SAP Security Patches on this October 10. This time, 7 new Security Notes have been released along with 2 updates to earlier Security Notes. Compared to earlier releases, the number of patches is relatively low this time and all new Security Notes have a ‘medium’ priority. 1 updated Security Note has priority ‘HotNews’ which is a familiar one. 

Although this looks like a patch round that is not so exciting, it is no reason to take patch management lightly! 

Patch Management for SAP remains important as ever to protect applications and enforce the security posture of an organization as a whole. Accurate and up-to-date insight is required to effectively manage missing patches. This can be quite a challenge. With the SecurityBridge Patch Management solution, all absent patches can be displayed throughout the technology stack, from the database to the application layer.

SAP Security Patches October 2023

Let’s explore the October 2023 release further. We will look at the well-known ‘Hot News’ Security Note 2622660 and share some facts about the other new and updated ones.

Fight the fatigue!

Ever heard of ‘alert’ or ‘notification’ fatigue? It is the phenomenon that occurs when people are confronted with such a high frequency of alerts, that it leads to a reduced ability to effectively react.

Something similar could happen with Security Note 2622660. It was first released in april 2018 and is  since then constantly updated with new updates regarding the browser control Google Chromium delivered with SAP Business Client. It shows up almost every patch round as a ‘Hot News’ security note and may be neglected over time. This time, it has been updated with security corrections with a CVSS score of 8.8. 

If this is a relevant component in your landscape, keep checking this note for updates!

New and updated Security Notes

The other released notes concern an array of impacted components: SAP NetWeaver Java, Business Objects, S/4 HANA, Business One and SyBase PowerDesigner client. Fixing the found security issues basically comes down to applying the recommended updates.

Some noteworthy remarks:

• Note 3371873 and 3324732: take into account both notes need to be applied to fix the security issues. 
• Note 3357154: there is a workaround that may be applied before the actual fix.
• Note 3219846: this note is only valid for certain countries or regions.