Skip to content

SAP Security Patch Day – June 2023

SAP security Patch day

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©

Today is June’s SAP Security Patch Day, an important date for SAP customers as they receive the latest security patches from SAP’s Security & Response teams. According to SAP, 8 new Security Notes have been released. Additionally, there have been 5 updates to previously released Security Notes (source: SAP Digital Library). Our experts have reviewed a total of 13 SAP Security Notes published in June. It is essential for organizations to stay informed about these updates and ensure they apply all necessary patches to maintain the security of their SAP systems. You can find the full list of published notes in this section of the article.

Let’s take a closer look at the highlights of the June SAP Security Patch Day, an established practice for organizations, occurring every second Tuesday of the month. Ensuring the resilience of your SAP system against cyber threats requires diligent Patch Management, which should never be neglected.

SAP Security Patches June 2023

The highest CVSS (Common Vulnerability Scoring System) rating for the current SAP Security Patch Day is 8.2. This rating is attributed to SAP Security Note 3324285, which addresses the CVE-2023-33991 vulnerability titled “Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management)”. This vulnerability impacts a wide range of SAP_UI component versions, with the exception of SAP_UI 758, which already includes the necessary correction. Exploiting this vulnerability could allow a threat actor with user-level access to read data from the server. Successful attacks have the potential to jeopardize the integrity and confidentiality of the system.

It is crucial for organizations to promptly apply the necessary patches to mitigate the risks associated with this vulnerability and safeguard their SAP systems from potential breaches. By staying proactive in addressing security vulnerabilities, organizations can enhance their overall security posture and protect their critical business operations.

In addition to the aforementioned highlights, the Change and Transport System in SAP NetWeaver has also received attention in the June SAP Security Patch Day. Although it was assigned a low priority, Security Note 3325642 addresses a vulnerability that prevents a potential Denial of Service (DoS) attack.

This particular vulnerability can be exploited by an authenticated attacker with administrative privileges. The attacker can repeatedly execute a benchmark program with the intention of slowing down or completely halting the SAP Transport Management function. While the impact of this vulnerability is generally minor during normal operations, it could potentially be exploited to disrupt time-sensitive project go-lives.

While this vulnerability may not be considered critical, it is important for organizations to apply the corresponding patch provided by SAP. By doing so, organizations can mitigate the risk of potential DoS attacks and ensure the smooth functioning of their SAP Transport Management processes, preventing any disruptions to critical projects. Maintaining a proactive approach to patch management is crucial in maintaining the security and stability of SAP systems.

 

Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

Summary by Severity

The June release contains a total of 13 patches for the following severities:

Severity Number
Hot News
0
High
4
Medium
8
Low
1
Note Description Severity CVSS
3319400 [CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform
Priority: Correction with medium priority
Released on: 09.05.2023
Components: BI-BIP-INV
Category: Program error
Medium 6,1
2826092 [CVE-2023-33986] Cross-Site Scripting (XSS) vulnerability in SAP CRM ABAP (Grantor Management)
Priority: Correction with medium priority
Released on: 13.06.2023
Components: CRM-IPS-BTX-APL
Category: Program error
Medium 6,1
3318657 [CVE-2023-33984] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Design Time Repository)
Priority: Correction with medium priority
Released on: 13.06.2023
Components: BC-CTS-DTR
Category: Program error
Medium 6,4
3331627 [CVE-2023-33985] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Enterprise Portal)
Priority: Correction with medium priority
Released on: 13.06.2023
Components: EP-PIN-NAV
Category: Program error
Medium 6,1
3325642 [CVE-2023-32114] Denial of Service in SAP NetWeaver (Change and Transport System)
Priority: Correction with low priority
Released on: 13.06.2023
Components: BC-CTS-TMS-CTR
Category: Program error
Low 2,7
3326210 [CVE-2023-30743] Improper Neutralization of Input in SAPUI5
Priority: Correction with high priority
Released on: 09.05.2023
Components: CA-UI5-CTR-BAL
Category: Program error
High 7,1
3324285 [CVE-2023-33991] Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management)
Priority: Correction with high priority
Released on: 13.06.2023
Components: CA-UI5-COR
Category: Program error
High 8,2
3322800 Update 1 to security note 3315971 - [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
Priority: Correction with medium priority
Released on: 13.06.2023
Components: CA-WUI-UI-TAG
Category: Program error
Medium 6,1
3315971 [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
Priority: Correction with medium priority
Released on: 09.05.2023
Components: CA-WUI-UI-TAG
Category: Program error
Medium 6,1
3102769 [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse
Priority: Correction with high priority
Released on: 14.12.2021
Components: KM-KW-HTA
Category: Program error
High 8,8
3142092 [CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer)
Priority: Correction with medium priority
Released on: 08.02.2022
Components: LO-MD-BP
Category: Program error
Medium 6,5
1794761 [CVE-2023-32115] SQL Injection in Master Data Synchronization (MDS COMPARE TOOL)
Priority: Correction with medium priority
Released on: 23.05.2023
Components: AP-MD-BF-SYN
Category: Program error
Medium 4,2
3301942 [CVE-2023-2827] Missing Authentication in SAP Plant Connectivity and Production Connector for SAP Digital Manufacturing
Priority: Correction with high priority
Released on: 23.05.2023
Components: MFG-PCO-DMC
Category: Program error
High 7,9
hacking
In SAP’s patch round of February 2022, an SAP Security Note was released with a CVSS score of 10/10 named, “Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher”. This particular type of vulnerability is not common in SAP systems and therefore interesting to look at. As patching the SAP kernel executables is often not done promptly, we can expect this vulnerability present in the customer’s systems for quite some time.
code pc
In one of our recent articles, we pointed out the use of Access Control Lists (ACLs) to better manage access control. Below, we will show a practical example of how this can be done for inbound HTTP communication with the ‘Internet Communication Manager’ (ICM) component of an SAP system.
SAP Security Patch Tuesday 2024
For February 2024, 13 new Security Notes have been released and 3 have been updated. Lets look at some highlights, starting with the ‘HowNews’ notes.