Skip to content
SAP security Patch day

SAP Security Patch Day – June 2023

08f4ab4c66997156c778169c9fc04205?s=96&d=mm&r=g
Christoph Nagy
Managing director
June 13, 2023
5 min read
Chapters

Share Article

Today is June’s SAP Security Patch Day, an important date for SAP customers as they receive the latest security patches from SAP’s Security & Response teams. According to SAP, 8 new Security Notes have been released. Additionally, there have been 5 updates to previously released Security Notes (source: SAP Digital Library). Our experts have reviewed a total of 13 SAP Security Notes published in June. It is essential for organizations to stay informed about these updates and ensure they apply all necessary patches to maintain the security of their SAP systems. You can find the full list of published notes in this section of the article.

Let’s take a closer look at the highlights of the June SAP Security Patch Day, an established practice for organizations, occurring every second Tuesday of the month. Ensuring the resilience of your SAP system against cyber threats requires diligent Patch Management, which should never be neglected.

SAP Security Patches June 2023

The highest CVSS (Common Vulnerability Scoring System) rating for the current SAP Security Patch Day is 8.2. This rating is attributed to SAP Security Note 3324285, which addresses the CVE-2023-33991 vulnerability titled “Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management)”. This vulnerability impacts a wide range of SAP_UI component versions, with the exception of SAP_UI 758, which already includes the necessary correction. Exploiting this vulnerability could allow a threat actor with user-level access to read data from the server. Successful attacks have the potential to jeopardize the integrity and confidentiality of the system.

It is crucial for organizations to promptly apply the necessary patches to mitigate the risks associated with this vulnerability and safeguard their SAP systems from potential breaches. By staying proactive in addressing security vulnerabilities, organizations can enhance their overall security posture and protect their critical business operations.

In addition to the aforementioned highlights, the Change and Transport System in SAP NetWeaver has also received attention in the June SAP Security Patch Day. Although it was assigned a low priority, Security Note 3325642 addresses a vulnerability that prevents a potential Denial of Service (DoS) attack.

This particular vulnerability can be exploited by an authenticated attacker with administrative privileges. The attacker can repeatedly execute a benchmark program with the intention of slowing down or completely halting the SAP Transport Management function. While the impact of this vulnerability is generally minor during normal operations, it could potentially be exploited to disrupt time-sensitive project go-lives.

While this vulnerability may not be considered critical, it is important for organizations to apply the corresponding patch provided by SAP. By doing so, organizations can mitigate the risk of potential DoS attacks and ensure the smooth functioning of their SAP Transport Management processes, preventing any disruptions to critical projects. Maintaining a proactive approach to patch management is crucial in maintaining the security and stability of SAP systems.

Summary by Severity

The June release contains a total of 13 patches for the following severities:

Severity Number
Hot News
0
High
4
Medium
8
Low
1
Note Description Severity CVSS
3319400 [CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform
Priority: Correction with medium priority
Released on: 09.05.2023
Components: BI-BIP-INV
Category: Program error
Medium 6,1
2826092 [CVE-2023-33986] Cross-Site Scripting (XSS) vulnerability in SAP CRM ABAP (Grantor Management)
Priority: Correction with medium priority
Released on: 13.06.2023
Components: CRM-IPS-BTX-APL
Category: Program error
Medium 6,1
3318657 [CVE-2023-33984] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Design Time Repository)
Priority: Correction with medium priority
Released on: 13.06.2023
Components: BC-CTS-DTR
Category: Program error
Medium 6,4
3331627 [CVE-2023-33985] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Enterprise Portal)
Priority: Correction with medium priority
Released on: 13.06.2023
Components: EP-PIN-NAV
Category: Program error
Medium 6,1
3325642 [CVE-2023-32114] Denial of Service in SAP NetWeaver (Change and Transport System)
Priority: Correction with low priority
Released on: 13.06.2023
Components: BC-CTS-TMS-CTR
Category: Program error
Low 2,7
3326210 [CVE-2023-30743] Improper Neutralization of Input in SAPUI5
Priority: Correction with high priority
Released on: 09.05.2023
Components: CA-UI5-CTR-BAL
Category: Program error
High 7,1
3324285 [CVE-2023-33991] Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management)
Priority: Correction with high priority
Released on: 13.06.2023
Components: CA-UI5-COR
Category: Program error
High 8,2
3322800 Update 1 to security note 3315971 - [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
Priority: Correction with medium priority
Released on: 13.06.2023
Components: CA-WUI-UI-TAG
Category: Program error
Medium 6,1
3315971 [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
Priority: Correction with medium priority
Released on: 09.05.2023
Components: CA-WUI-UI-TAG
Category: Program error
Medium 6,1
3102769 [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse
Priority: Correction with high priority
Released on: 14.12.2021
Components: KM-KW-HTA
Category: Program error
High 8,8
3142092 [CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer)
Priority: Correction with medium priority
Released on: 08.02.2022
Components: LO-MD-BP
Category: Program error
Medium 6,5
1794761 [CVE-2023-32115] SQL Injection in Master Data Synchronization (MDS COMPARE TOOL)
Priority: Correction with medium priority
Released on: 23.05.2023
Components: AP-MD-BF-SYN
Category: Program error
Medium 4,2
3301942 [CVE-2023-2827] Missing Authentication in SAP Plant Connectivity and Production Connector for SAP Digital Manufacturing
Priority: Correction with high priority
Released on: 23.05.2023
Components: MFG-PCO-DMC
Category: Program error
High 7,9