Skip to content
SAP security Patch day

SAP Security Patch Day – May 2023

08f4ab4c66997156c778169c9fc04205?s=96&d=mm&r=g
Christoph Nagy
Managing director
May 9, 2023
5 min read
Chapters

Share Article

Today is another SAP Security Patch Day, the 5th of the year! In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Another SNote, 3117978 – [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service) was once more updated.

Besides the updated notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects. 

Before we dive into the highlights of the monthly recurring SAP Security Patch Day, which takes place every second Tuesday, we want to show you a way to make your SAP system resilient. An SAP system that is protected not only by reactive security measures but by a strategic and holistic approach can achieve a state of cyber resilience.

We covered the topic of SAP Cyber Resilience in this blog article.

In summary, it is not about achieving a better security posture through reactive individual measures, but through a multi-layered approach that combines the security domains of system hardening and continuous compliance monitoring, timely patching of security vulnerabilities, and real-time monitoring. Customers who analyze and fix vulnerabilities in their own ABAP/4 developments also close these -often unknown- attack vectors.

When it comes to the question of whether SAP Cyber Resilience protects against zero-day vulnerabilities, there are different opinions. What is correct, however, is that the intelligent combination of defense lines leads to the early detection of even a zero-day vulnerability that is exploited by the attacker in combination with other vulnerabilities or even prevents it from working altogether. Please feel free to contact us if you would like to learn more about this topic.

SAP Security Patches May 2023

SAP has released 20 security updates in the May 2023 Security Patch Day, out of which six (6) are Security Notes for SAP Business Objects.

We highly recommend all customers of this product line to review and apply all relevant security patches. The highest CVSS score of 9.1 is assigned to Patch 3307833, which addresses [CVE-2023-28762] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Console).

A HotNews patch (3328495) has been released for multiple vulnerabilities associated with the Reprise License Manager 14.2 component, used with the SAP 3D Visual Enterprise License Manager. The Reprise License Manager is a third-party software component that provides license management services for various applications, including the SAP 3D Visual Enterprise product. It allows software vendors to manage their licensing models and provides end-users with a way to activate, manage, and track their licenses. The Reprise License Manager has been found to have vulnerabilities in the past, which can be exploited by attackers to gain unauthorized access to systems or steal sensitive information. Therefore, it’s important to apply the latest security patches for this component to ensure the security of your systems.

In addition, there are seven (7) Security Patches with Priority High and various others classified as Medium. We strongly suggest reviewing all security patches, even those with a lower priority, as a successful attack typically consists of the exploitation of a chain of existing vulnerabilities.

Summary by Severity

The May release contains a total of 20 patches for the following severities:

Severity Number
Hot News
3
High
7
Medium
7
Low
3
Note Description Severity CVSS
3117978 [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service)
Priority: Correction with low priority
Released on: 11.04.2023
Components: BC-SRV-AIF
Category: Program error
Low 3,1
3326210 [CVE-2023-30743] Improper Neutralization of Input in SAPUI5
Priority: Correction with high priority
Released on: 09.05.2023
Components: CA-UI5-CTR-BAL
Category: Program error
High 7,1
3315979 [CVE-2023-29188] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI
Priority: Correction with medium priority
Released on: 09.05.2023
Components: CA-WUI-CON
Category: Program error
Medium 5,4
3309935 [CVE-2023-30741] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform
Priority: Correction with medium priority
Released on: 09.05.2023
Components: BI-BIP-INV
Category: Program error
Medium 6,1
3313484 [CVE-2023-30740] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform
Priority: Correction with medium priority
Released on: 09.05.2023
Components: BI-BIP-INV
Category: Program error
Medium 6,3
3328495 Multiple vulnerabilities associated with Reprise License Manager 14.2 component used with SAP 3D Visual Enterprise License Manager
Priority: HotNews
Released on: 09.05.2023
Components: CA-VE
Category: Program error
Hot News 9,8
3317453 [CVE-2023-30744] Improper access control during application start-up in SAP AS NetWeaver JAVA
Priority: Correction with high priority
Released on: 09.05.2023
Components: BC-JAS-EJB
Category: Program error
High 8,2
3315971 [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
Priority: Correction with medium priority
Released on: 09.05.2023
Components: CA-WUI-UI-TAG
Category: Program error
Medium 6,1
3307833 [CVE-2023-28762] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Console)
Priority: HotNews
Released on: 09.05.2023
Components: BI-BIP-SRV
Category: Program error
Hot News 9,1
3323415 [CVE-2023-29080] Privilege escalation vulnerability in SAP IBP, add-in for Microsoft Excel
Priority: Correction with high priority
Released on: 09.05.2023
Components: SCM-IBP-XLS
Category: Program error
High 8,2
3320467 [CVE-2023-32113] Information Disclosure vulnerability in SAP GUI for Windows
Priority: Correction with high priority
Released on: 09.05.2023
Components: BC-FES-GUI
Category: Program error
High 7,5
3320145 Denial of service (DOS) in SAP Commerce
Priority: Correction with high priority
Released on: 09.05.2023
Components: CEC-COM-CPS-OTH
Category: Program error
High 7,5
3319400 [CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform
Priority: Correction with medium priority
Released on: 09.05.2023
Components: BI-BIP-INV
Category: Program error
Medium 6,1
3302595 [CVE-2023-28764] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform
Priority: Correction with low priority
Released on: 09.05.2023
Components: BI-BIP-IDT
Category: Program error
Low 3,7
3300624 [CVE-2023-32111] Memory Corruption vulnerability in SAP PowerDesigner (Proxy)
Priority: Correction with high priority
Released on: 09.05.2023
Components: BC-SYB-PD
Category: Program error
High 7,5
3312892 [CVE-2023-31407] Cross-Site Scripting (XSS) vulnerability in SAP Business Planning and Consolidation
Priority: Correction with medium priority
Released on: 09.05.2023
Components: EPM-BPC-NW-DOC
Category: Program error
Medium 5,4
2335198 [CVE-2023-32112] Missing Authorization Check in Vendor Master Hierarchy
Priority: Correction with low priority
Released on: 09.05.2023
Components: LO-MD-BP-VM
Category: Program error
Low 2,8
3321309 Information Disclosure vulnerability in SAP Commerce (Backoffice)
Priority: Correction with high priority
Released on: 09.05.2023
Components: CEC-COM-CPS-OTH
Category: Program error
High 7,5
2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client
Priority: HotNews
Released on: 10.04.2018
Components: BC-FES-BUS-DSK
Category: Program error
Hot News 10,0
3038911 [CVE-2023-31404] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Service)
Priority: Correction with medium priority
Released on: 09.05.2023
Components: BI-BIP-ADM
Category: Program error
Medium 5,0