Skip to content
SAP security Patch day

SAP Security Patch Day – November 2023

ebde76d0d55c1a42c8ff2d0159c52217?s=96&d=mm&r=g
Gert-Jan Koster
SAP Security specialist
November 14, 2023
3 min read
Chapters

Share Article

SAP has released another set of Security Patches on this SAP Security Patch Day for November. Like last month, the number of patches is relatively low, with only 3 new Security Notes and 3 updates to notes that have been earlier released. However, this is no reason to take these updates lightly, as 2 notes have a priority ‘HotNews’ and any Security Note should always be carefully analyzed.

Patch Management remains a challenge for many organizations. The SecurityBridge Patch Management solution helps to gain insight on and manage the implementation of missing patches across the SAP landscape. With its granular presentation of relevant details and implementation support, it is an essential toolkit to manage patches effectively. 

 

SAP Security Patches November 2023

Let’s explore the November 2023 release further, first by looking at the 2 ‘HotNews’ notes. In SAP terms, ‘HotNews,’ refers to CVSS scores from 9.1 to 10.

SAP CommonCryptoLib and SAP Business One

SAP note 3340576 was released before in September 2023 and has been updated, mainly with new solution information for HANA 2.0. See note 3351741 and 3332084 for more information. Be aware that the CommonCryptoLib library is used in various components, so take special care to update CommonCryptoLib completely in your landscape!

SAP note 3355658 describes an Access Control vulnerability that can have considerable impact to SAP Business One systems. There is no workaround available so it is essential to apply the mentioned patch as soon as possible. See note 3400236 for further details.

Notes with ‘Medium’ severity

  • Note 3333426: additional fixes have been provided for NW Java 7.50 SP24 and SP25.
  • Note 2494184: updated since 2018, do cross-check renewed applicability for SAP Sybase products. 
  • Note 3362849: requires a kernel patch for the ICM component but only for ABAP based systems.
  • Note 3366410: requires patching on NW Java sytems only. 

SAP Security Notes November 2023

The November release contains a total of 6 patches for the following severities:

Severity Number
Hot News
2
High
0
Medium
4
Note Description Severity CVSS
3340576 [CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib
Priority: HotNews
Released on: 12.09.2023
Components: BC-IAM-SSO-CCL
Category: Program error
Hot News 9.8
3355658 [CVE-2023-31403] Improper Access Control vulnerability in SAP Business One product installation
Priority: HotNews
Released on: 14.11.2023
Components: SBO-CRO-SEC
Category: Program error
Hot News 9.6
3333426 [CVE-2023-42477] Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application)
Priority: Correction with medium priority
Released on: 10.10.2023
Components: BC-JAS-ADM-MON
Category: Program error
Medium 6.5
2494184 Cross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products
Priority: Correction with medium priority
Released on: 08.08.2017
Components: BC-SYB-SQA
Category: Program error
Medium 6.3
3362849 [CVE-2023-41366] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 14.11.2023
Components: BC-CST-IC
Category: Program error
Medium 5.3
3366410 [CVE-2023-42480] Information Disclosure in NetWeaver AS Java Logon
Priority: Correction with medium priority
Released on: 14.11.2023
Components: BC-JAS-SEC
Category: Program error
Medium 5.3