Skip to content
SAP security Patch day

SAP Security Patch Day – October 2023

Gert-Jan Koster
SAP Security specialist
October 10, 2023
4 min read
Chapters

Share Article

Another month has passed and it is SAP Security Patch Day again. Like every 2nd Tuesday, SAP brings a new release of SAP Security Patches on this October 10. This time, 7 new Security Notes have been released along with 2 updates to earlier Security Notes. Compared to earlier releases, the number of patches is relatively low this time and all new Security Notes have a ‘medium’ priority. 1 updated Security Note has priority ‘HotNews’ which is a familiar one. 

Although this looks like a patch round that is not so exciting, it is no reason to take patch management lightly! 

Patch Management for SAP remains important as ever to protect applications and enforce the security posture of an organization as a whole. Accurate and up-to-date insight is required to effectively manage missing patches. This can be quite a challenge. With the SecurityBridge Patch Management solution, all absent patches can be displayed throughout the technology stack, from the database to the application layer.

SAP Security Patches October 2023

Let’s explore the October 2023 release further. We will look at the well-known ‘Hot News’ Security Note 2622660 and share some facts about the other new and updated ones.

Fight the fatigue!

Ever heard of ‘alert’ or ‘notification’ fatigue? It is the phenomenon that occurs when people are confronted with such a high frequency of alerts, that it leads to a reduced ability to effectively react.

Something similar could happen with Security Note 2622660. It was first released in april 2018 and is  since then constantly updated with new updates regarding the browser control Google Chromium delivered with SAP Business Client. It shows up almost every patch round as a ‘Hot News’ security note and may be neglected over time. This time, it has been updated with security corrections with a CVSS score of 8.8. 

If this is a relevant component in your landscape, keep checking this note for updates!

New and updated Security Notes

The other released notes concern an array of impacted components: SAP NetWeaver Java, Business Objects, S/4 HANA, Business One and SyBase PowerDesigner client. Fixing the found security issues basically comes down to applying the recommended updates.

Some noteworthy remarks:

  • Note 3371873 and 3324732: take into account both notes need to be applied to fix the security issues. 
  • Note 3357154: there is a workaround that may be applied before the actual fix.
  • Note 3219846: this note is only valid for certain countries or regions. 

Summary by Severity

The October release contains a total of 9 patches for the following severities:

Severity Number
Hot News
1
High
0
Medium
8
Low
0
Note Description Severity CVSS
2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client
Priority: HotNews
Released on: 10.04.2018
Components: BC-FES-BUS-DSK
Category: Program error
Hot News 10.0
3372991 [CVE-2023-42474] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence
Priority: Correction with medium priority
Released on: 10.10.2023
Components: BI-RA-WBI-FE
Category: Program error
Medium 6.8
3333426 [CVE-2023-42477] Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application)
Priority: Correction with medium priority
Released on: 10.10.2023
Components: BC-JAS-ADM-MON
Category: Program error
Medium 6.5
3357154 [CVE-2023-40310] Missing XML Validation vulnerability in SAP PowerDesigner Client (BPMN2 import)
Priority: Correction with medium priority
Released on: 10.10.2023
Components: BC-SYB-PD
Category: Program error
Medium 6.5
3219846 [CVE-2023-42473] Missing Authorization Check In S/4HANA (Manage Withholding Tax Items)
Priority: Correction with medium priority
Released on: 26.09.2023
Components: FI-AP-AP-Q1
Category: Program error
Medium 5.4
3371873 Update 1 to Security Note 3324732: [CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer)
Priority: Correction with medium priority
Released on: 10.10.2023
Components: BC-JAS-SEC
Category: Program error
Medium 5.3
3324732 [CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer)
Priority: Correction with medium priority
Released on: 11.07.2023
Components: BC-JAS-SEC
Category: Program error
Medium 5.3
3222121 [CVE-2023-42475] Information Disclosure Vulnerability in Statutory Reporting
Priority: Correction with medium priority
Released on: 10.10.2023
Components: FI-LOC-SRF-RUN
Category: Program error
Medium 4.3
3338380 [CVE-2023-41365] Information Disclosure vulnerability in SAP Business One (B1i)
Priority: Correction with medium priority
Released on: 10.10.2023
Components: SBO-CRO-SEC
Category: Program error
Medium 4.3