On this last SAP Security Patch Day of 2023, another set of Security Patches has been released. Previous releases contained a relatively low number of patches, but this month, 17 notes have been released that are either new or have been updated. The so-called ‘HotNews’ notes have the highest priority but keep in mind that all patches should be carefully analyzed and implemented accordingly. Patch management plays a vital role in keeping SAP landscapes safe! So don’t get into ‘holiday mode’ just yet and let’s look at some interesting points of this month’s release.
The SecurityBridge Patch Management solution helps to gain insight on and manage the implementation of missing patches across the SAP landscape. With its granular presentation of relevant details and implementation support, it is an essential toolkit to manage patches effectively. Newly released security patches from SAP are seamlessly integrated.
SAP Security Patches December 2023
For December 2023, 3 ‘HotNews’ notes are mentioned that we will look into a bit further. In SAP terms, ‘HotNews’ refers to CVSS scores from 9.1 to 10.
Note that SAP note 2622660 is frequently updated for new updates on Google Chromium delivered with SAP Business Client. This month, the actual updates concern a CVSS rating of ‘8.8’.
HotNews update for IS-OIL - discovered by SecurityBridge
Perhaps you remember SAP note 3350297 from the July release earlier this year. It concerns an OS command injection vulnerability that can give extensive control to an attacker for the IS-OIL solution. The note was first released on July’s patch day but then it became clear that importing the note on non-IS-OIL systems could do serious harm which is why the note description was updated accordingly.
Meanwhile the SecurityBridge research team has discovered that the solution from note 3350297 is incomplete and leaves customers vulnerable which is why SAP has released a new HotNews note 3399691 to resolve that. For customers that use IS-OIL, analyse this update to stay safe. Refer to FAQ note 3349318 for further details.
SAP BTP Security Services Integration Libraries
SAP note 3411067 reports possible escalation of privileges when using SAP BTP Security Services Integration Libraries. The CVSS rating is ’9.1’ and concerns multiple libraries for Node.js, Java, Python and Golang. There is no workaround and so patching and thorough testing is required for the mentioned libraries and programming infrastructures.
Other security notes
Apart from the ‘HotNews’ notes, see below highlights of notes that require additional steps or other actions.
- Note 3159329 : requires on update of a SAPUI5 library. Note the update procedure mentioned in note 3155948.
- Note 3363690: vulnerability on SAP Master Data Governance. Note the required additional steps to consume the fix mentioned in the note.
- Note 3394567: after applying the patch, a re-build and re-deploy of the updated SAP Commerce Cloud version is required.
SAP Security Notes December 2023
Summary by Severity
The December release contains a total of 17 patches for the following severities: