Skip to content
SAP security Patch day

SAP Security Patch Day – April 2023

Christoph Nagy
Managing director
April 11, 2023
6 min read
Chapters

Share Article

On April 11th, SAP released its latest Security Patch Day following the Easter break. This day is crucial for businesses that rely on SAP software and are concerned about cybersecurity. In this article, we will take a closer look at four HotNews patches that have been released or updated. HotNews patches are the most critical patches that SAP releases. They address vulnerabilities that could potentially lead to a high-risk security breach. Therefore, it is essential that businesses prioritize and apply these patches promptly to minimize the risk of an attack.

False positives can often cause significant troubles and waste efforts. Fortunately, SecurityBridge Patch Management for SAP provides a solution that boasts the highest accuracy in the industry. It enables businesses to manage SAP security patches effectively and efficiently, minimizing the risk of false positives and ensuring timely application of critical patches.

SAP Security Patches April 2023

On April 11th, 2023, SAP released its latest Security Patch Day, which included 21 new security corrections and two updates. Among the fixes were patches for a directory traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform.

It is worth noting that one Security Note has been marked with the category “Consulting”. This means that it does not directly address a security vulnerability but rather provides guidance and recommendations for businesses to improve their overall security posture. Additionally, SAP Business Object Business Intelligence Platform was once again a focus of the Security Patch Day, with several patches released to address various vulnerabilities. Lets look into the highlights.

One of the critical patches released during the April 11th, 2023 SAP Security Patch Day was 3294595, which addressed a Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform. This patch had a HotNews priority rating by SAP, indicating its high severity. The vulnerability, identified by the CVE-2023-27269 identifier, had a CVSS score of 9.6, which was carried over from the initial release of the patch in March. However, the April update contained a reworked solution description that provided a workaround for those who were unable to implement the suggested support package immediately.

Another troublesome patch released during the April 11th, 2023 SAP Security Patch Day is SNote 3305369, which addresses multiple vulnerabilities in SAP Diagnostics Agent. This patch is crucial for businesses using the SAP Solution Manager system landscape, as the Diagnostics Agent is a central component.

The patch fixes multiple vulnerabilities that could lead to Remote Code Execution (RCE) through the OSCommand Bridge and EventLogServiceCollector. Our experts strongly recommend that businesses prioritize this patch, as the LogService and OSCommand Bridge vulnerabilities could be exploited by attackers to gain unauthorized access to systems.

SAP has released another security fix, patch 3298961, for SAP BusinessObjects Business Intelligence Platform. This patch addresses the CVE-2023-28765 vulnerability, which involves information disclosure in the Promotion Management feature. Customers affected by this vulnerability should update the patch level to resolve the issue.

Additionally, there is a vulnerability related to the IP filter in ABAP Platform and SAP Web Dispatcher. Due to erroneous IP netmask handling, this vulnerability could enable access to backend applications from unwanted sources. While successful exploitation of this vulnerability could cause limited impact on the confidentiality of the application, it still requires consulting.

For further information about this vulnerability, customers can refer to patch 3315312, which addresses the CVE-2023-29108 IP filter vulnerability in ABAP Platform and SAP Web Dispatcher. To learn more about securing the SAP Web Dispatcher and ICM, please refer to the following article: SECURING YOUR SAP INTERNET COMMUNICATION MANAGER (ICM).

We always recommend that businesses thoroughly review all the patches released during the SAP Security Patch Day. It’s crucial to map the vulnerability to your exact use-case and protection level for the relevant SAP application or scenario. It’s important to keep in mind that professional attackers can exploit the weakest link in the chain, and the results can be catastrophic. Therefore, it’s necessary to ensure that all vulnerabilities are addressed to minimize the risk of a security breach. By reviewing and applying the latest SAP security patches, businesses can reduce the chances of successful attacks and protect their systems and sensitive data. So don’t wait, take action today and ensure that your SAP systems are secure.

Summary by Severity

The April release contains a total of 21 patches for the following severities:

Severity Number
Hot News
4
High
1
Medium
13
Low
3
Note Description Severity CVSS
2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client
Priority: HotNews
Released on: 10.04.2018
Components: BC-FES-BUS-DSK
Category: Program error
Hot News 10,0
3269352 [CVE-2023-29189] HTTP Verb Tampering vulnerability in SAP CRM (WebClient UI)
Priority: Correction with medium priority
Released on: 11.04.2023
Components: CA-WUI-UI
Category: Program error
Medium 5,4
3301457 [CVE-2023-1903] Missing Authorization check in SAP HCM Fiori App My Forms (Fiori 2.0)
Priority: Correction with medium priority
Released on: 11.04.2023
Components: PA-FIO-FO
Category: Program error
Medium 4,3
3275458 [CVE-2023-27499] Cross-Site Scripting (XSS) vulnerability in SAP GUI for HTML
Priority: Correction with medium priority
Released on: 11.04.2023
Components: BC-FES-WGU
Category: Program error
Medium 6,1
3305907 [CVE-2023-29186] Directory Traversal vulnerability in SAP NetWeaver ( BI CONT ADD ON)
Priority: Correction with high priority
Released on: 11.04.2023
Components: BW-BCT-GEN
Category: Program error
High 8,7
3312733 [CVE-2023-26458] Information Disclosure vulnerability in SAP Landscape Management
Priority: Correction with medium priority
Released on: 11.04.2023
Components: BC-VCM-LVM
Category: Program error
Medium 6,8
3311624 [CVE-2023-29187] DLL Hijacking vulnerability in SapSetup (Software Installation Program)
Priority: Correction with medium priority
Released on: 11.04.2023
Components: BC-FES-INS
Category: Program error
Medium 6,7
3117978 [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service)
Priority: Correction with low priority
Released on: 11.04.2023
Components: BC-SRV-AIF
Category: Program error
Low 3,1
3113349 [CVE-2023-29110] Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)
Priority: Correction with low priority
Released on: 11.04.2023
Components: BC-SRV-AIF
Category: Program error
Low 3,7
3115598 [CVE-2023-29109] Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard)
Priority: Correction with medium priority
Released on: 11.04.2023
Components: BC-SRV-AIF
Category: Program error
Medium 4,4
3114489 [CVE-2023-29112] Code Injection vulnerability in SAP Application Interface Framework (Message Monitoring)
Priority: Correction with low priority
Released on: 11.04.2023
Components: BC-SRV-AIF
Category: Program error
Low 3,7
3298961 [CVE-2023-28765] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management )
Priority: HotNews
Released on: 11.04.2023
Components: BI-BIP-LCM
Category: Program error
Hot News 9,8
3309056 [CVE-2023-27897] Code Injection vulnerability in SAP CRM
Priority: Correction with medium priority
Released on: 11.04.2023
Components: CRM-BF
Category: Program error
Medium 6,0
3316509 Remote Code Execution vulnerability in SAP Commerce
Priority: Correction with medium priority
Released on: 11.04.2023
Components: CEC-COM-CPS-COR
Category: Program error
Medium 4,7
3289994 [CVE-2023-28761] Missing Authentication check in SAP NetWeaver Enterprise Portal
Priority: Correction with medium priority
Released on: 11.04.2023
Components: EP-PIN-PRT
Category: Program error
Medium 6,5
3303060 [CVE-2023-29185] Denial of Service (DOS) in SAP NetWeaver AS for ABAP (Business Server Pages)
Priority: Correction with medium priority
Released on: 11.04.2023
Components: BC-BSP
Category: Program error
Medium 5,3
3296378 [CVE-2023-28763] - Denial of Service in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 11.04.2023
Components: BC-MID-AC
Category: Program error
Medium 6,5
3305369 [CVE-2023-27497] Multiple vulnerabilities in SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector)
Priority: HotNews
Released on: 11.04.2023
Components: SV-SMG-DIA-SRV-AGT
Category: Program error
Hot News 10,0
3287784 [CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service
Priority: Correction with medium priority
Released on: 11.04.2023
Components: BC-JAS-DPL
Category: Program error
Medium 5,3
3315312 [CVE-2023-29108] IP filter vulnerability in ABAP Platform and SAP Web Dispatcher
Priority: Correction with medium priority
Released on: 11.04.2023
Components: BC-CST-IC
Category: Consulting
Medium 5,0
3294595 [CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: HotNews
Released on: 14.03.2023
Components: BC-CCM-PRN
Category: Program error
Hot News 9,6