SAP Security Patch Day – September 2023
Chapters
Share Article
The SAP Security Patch Day returns in September. Today, September 12th, 2023 brings the release of SAP Security Patches for the extensive enterprise application portfolio developed by the Walldorf giant. SAP released 13 new Security Notes and provided 5 updates to previously released Security Notes.
In total, we see 5 updates attributed in the CVSS range for priority HotNews. While we traditionally focus our attention on the new releases, and not on the updates from previous patch days, this does not mean those can be neglected.
Patch Management for SAP is a crucial exercise that helps in managing the security posture of critical enterprise applications. While the effort is relatively low, the effects on security protection outweigh it.
Attributing individual patches to a specific system installation with high accuracy remains a challenge in many client environments. Therefore, we recommend utilizing the SecurityBridge Patch Management solution, which displays all absent patches throughout the technology stack, from the database to the application layer.
SAP Security Patches September 2023
Let’s explore the specifics of the September 2023 SAP Security Patch Day. To begin, let’s review the most critical security patches. These are known in the SAP vernacular as ‘Hot News,’ which includes CVSS scores ranging from 9.1 to 10.
Starting with the Hot News
While the September Patch Day lists a total of five (5) HotNews notes, only two (2) are new releases. First off, SNote 3320355 has a CVS Score of 9.9 and concerns an “Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management)”. Attacks exploiting vulnerable parts of the application can access sensitive information. Although the score indicates high risk, it is important to note that the attack can only be carried out by an authorized account. The scoring is justified because successful exploitation could cause severe harm and damage to the system.
The second HotNew SNote, 3340576, is described as having a “Missing Authorization check in SAP CommonCryptoLib.”
In relation to this note, we would like to mention that SNote 3327896 includes a correction for the SAP CommonCryptoLib. Only experienced SAP professionals will recall that CommonCryptoLib is the technical follow-up to the widely recognized SAP Cryptographic Library (SAPCRYPTOLIB). Although the patches provide a fix for vulnerabilities in the same components, the risk and exploitation methods are fundamentally different in nature.
Summary by Severity
The September release contains a total of 16 patches for the following severities:
| Severity | Number |
Hot News
|
5 |
|---|---|
|
High
|
2 |
|
Medium
|
7 |
|
Low
|
2 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client Priority: HotNews Released on: 10.04.2018 Components: BC-FES-BUS-DSK Category: Program error |
Hot News | 10.0 |
| 3245526 | [CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform
(CMC) Priority: HotNews Released on: 14.03.2023 Components: BI-BIP-CMC Category: Program error |
Hot News | 9.9 |
| 3320355 | [CVE-2023-40622] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform
(Promotion Management) Priority: HotNews Released on: 12.09.2023 Components: BI-BIP-LCM Category: Program error |
Hot News | 9.9 |
| 3273480 | [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search) Priority: HotNews Released on: 13.12.2022 Components: BC-XI-CON-UDS Category: Program error |
Hot News | 9.9 |
| 3340576 | [CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib Priority: HotNews Released on: 12.09.2023 Components: BC-IAM-SSO-CCL Category: Program error |
Hot News | 9.8 |
| 3370490 | [CVE-2023-42472] Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform
(Web Intelligence HTML interface) Priority: Correction with high priority Released on: 12.09.2023 Components: BI-RA-WBI-FE Category: Program error |
High | 8.7 |
| 3327896 | [CVE-2023-40308] Memory Corruption vulnerability in SAP CommonCryptoLib Priority: Correction with high priority Released on: 12.09.2023 Components: BC-IAM-SSO-CCL Category: Program error |
High | 7.5 |
| 3357163 | [CVE-2023-40621] Code Injection vulnerability in SAP PowerDesigner Client Priority: Correction with medium priority Released on: 12.09.2023 Components: BC-SYB-PD Category: Program error |
Medium | 6.3 |
| 3317702 | [CVE-2023-40623] Arbitrary File Delete via Directory Junction in SAP BusinessObjects
Suite(installer) Priority: Correction with medium priority Released on: 12.09.2023 Components: BI-BIP-INS Category: Program error |
Medium | 6.2 |
| 3349805 | Denial of service (DOS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP
Quotation Management Insurance (FS-QUO) Priority: Correction with medium priority Released on: 12.09.2023 Components: FS-QUO Category: Program error |
Medium | 5.7 |
| 3323163 | [CVE-2023-40624] Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified
Rendering) Priority: Correction with medium priority Released on: 12.09.2023 Components: BC-WD-UR Category: Program error |
Medium | 5.5 |
| 3326361 | [CVE-2023-40625] Missing Authorization check in Manage Purchase Contracts App Priority: Correction with medium priority Released on: 12.09.2023 Components: MM-FIO-PUR-SQ-CON Category: Program error |
Medium | 5.4 |
| 3348142 | [CVE-2023-41367] Missing Authentication check in SAP NetWeaver (Guided Procedures) Priority: Correction with medium priority Released on: 12.09.2023 Components: BC-GP Category: Program error |
Medium | 5.3 |
| 3352453 | [CVE-2023-37489] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform
(Version Management System) Priority: Correction with medium priority Released on: 12.09.2023 Components: BI-BIP-LCM Category: Program error |
Medium | 5.3 |
| 3369680 | [CVE-2023-41369] External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment
application) Priority: Correction with low priority Released on: 12.09.2023 Components: FI-FIO-AP Category: Program error |
Low | 3.5 |
| 3355675 | [CVE-2023-41368] Insecure Direct Object Reference (IDOR) vulnerability in SAP S/4HANA (Manage checkbook
apps) Priority: Correction with low priority Released on: 12.09.2023 Components: FI-FIO-AP-CHK Category: Program error |
Low | 2.7 |