The SAP Security Patch Day returns in September. Today, September 12th, 2023 brings the release of SAP Security Patches for the extensive enterprise application portfolio developed by the Walldorf giant. SAP released 13 new Security Notes and provided 5 updates to previously released Security Notes.
In total, we see 5 updates attributed in the CVSS range for priority HotNews. While we traditionally focus our attention on the new releases, and not on the updates from previous patch days, this does not mean those can be neglected.
Patch Management for SAP is a crucial exercise that helps in managing the security posture of critical enterprise applications. While the effort is relatively low, the effects on security protection outweigh it.
Attributing individual patches to a specific system installation with high accuracy remains a challenge in many client environments. Therefore, we recommend utilizing the SecurityBridge Patch Management solution, which displays all absent patches throughout the technology stack, from the database to the application layer.
Let’s explore the specifics of the September 2023 SAP Security Patch Day. To begin, let’s review the most critical security patches. These are known in the SAP vernacular as ‘Hot News,’ which includes CVSS scores ranging from 9.1 to 10.
While the September Patch Day lists a total of five (5) HotNews notes, only two (2) are new releases. First off, SNote 3320355 has a CVS Score of 9.9 and concerns an “Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management)”. Attacks exploiting vulnerable parts of the application can access sensitive information. Although the score indicates high risk, it is important to note that the attack can only be carried out by an authorized account. The scoring is justified because successful exploitation could cause severe harm and damage to the system.
The second HotNew SNote, 3340576, is described as having a “Missing Authorization check in SAP CommonCryptoLib.”
In relation to this note, we would like to mention that SNote 3327896 includes a correction for the SAP CommonCryptoLib. Only experienced SAP professionals will recall that CommonCryptoLib is the technical follow-up to the widely recognized SAP Cryptographic Library (SAPCRYPTOLIB). Although the patches provide a fix for vulnerabilities in the same components, the risk and exploitation methods are fundamentally different in nature.
The September release contains a total of 16 patches for the following severities:
| Severity | Number |
Hot News
|
5 |
|---|---|
|
High
|
2 |
|
Medium
|
7 |
|
Low
|
2 |
