Skip to content

SAP Security Patch Day – June 2023

SAP security Patch day

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©

Today is June’s SAP Security Patch Day, an important date for SAP customers as they receive the latest security patches from SAP’s Security & Response teams. According to SAP, 8 new Security Notes have been released. Additionally, there have been 5 updates to previously released Security Notes (source: SAP Digital Library). Our experts have reviewed a total of 13 SAP Security Notes published in June. It is essential for organizations to stay informed about these updates and ensure they apply all necessary patches to maintain the security of their SAP systems. You can find the full list of published notes in this section of the article.

Let’s take a closer look at the highlights of the June SAP Security Patch Day, an established practice for organizations, occurring every second Tuesday of the month. Ensuring the resilience of your SAP system against cyber threats requires diligent Patch Management, which should never be neglected.

SAP Security Patches June 2023

The highest CVSS (Common Vulnerability Scoring System) rating for the current SAP Security Patch Day is 8.2. This rating is attributed to SAP Security Note 3324285, which addresses the CVE-2023-33991 vulnerability titled “Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management)”. This vulnerability impacts a wide range of SAP_UI component versions, with the exception of SAP_UI 758, which already includes the necessary correction. Exploiting this vulnerability could allow a threat actor with user-level access to read data from the server. Successful attacks have the potential to jeopardize the integrity and confidentiality of the system.

It is crucial for organizations to promptly apply the necessary patches to mitigate the risks associated with this vulnerability and safeguard their SAP systems from potential breaches. By staying proactive in addressing security vulnerabilities, organizations can enhance their overall security posture and protect their critical business operations.

In addition to the aforementioned highlights, the Change and Transport System in SAP NetWeaver has also received attention in the June SAP Security Patch Day. Although it was assigned a low priority, Security Note 3325642 addresses a vulnerability that prevents a potential Denial of Service (DoS) attack.

This particular vulnerability can be exploited by an authenticated attacker with administrative privileges. The attacker can repeatedly execute a benchmark program with the intention of slowing down or completely halting the SAP Transport Management function. While the impact of this vulnerability is generally minor during normal operations, it could potentially be exploited to disrupt time-sensitive project go-lives.

While this vulnerability may not be considered critical, it is important for organizations to apply the corresponding patch provided by SAP. By doing so, organizations can mitigate the risk of potential DoS attacks and ensure the smooth functioning of their SAP Transport Management processes, preventing any disruptions to critical projects. Maintaining a proactive approach to patch management is crucial in maintaining the security and stability of SAP systems.

 

Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

Summary by Severity

The June release contains a total of 13 patches for the following severities:

SeverityNumber
Hot News
0
High
4
Medium
8
Low
1
NoteDescriptionSeverityCVSS
3319400[CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform
Priority: Correction with medium priority
Released on: 09.05.2023
Components: BI-BIP-INV
Category: Program error
Medium6,1
2826092[CVE-2023-33986] Cross-Site Scripting (XSS) vulnerability in SAP CRM ABAP (Grantor Management)
Priority: Correction with medium priority
Released on: 13.06.2023
Components: CRM-IPS-BTX-APL
Category: Program error
Medium6,1
3318657[CVE-2023-33984] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Design Time Repository)
Priority: Correction with medium priority
Released on: 13.06.2023
Components: BC-CTS-DTR
Category: Program error
Medium6,4
3331627[CVE-2023-33985] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Enterprise Portal)
Priority: Correction with medium priority
Released on: 13.06.2023
Components: EP-PIN-NAV
Category: Program error
Medium6,1
3325642[CVE-2023-32114] Denial of Service in SAP NetWeaver (Change and Transport System)
Priority: Correction with low priority
Released on: 13.06.2023
Components: BC-CTS-TMS-CTR
Category: Program error
Low2,7
3326210[CVE-2023-30743] Improper Neutralization of Input in SAPUI5
Priority: Correction with high priority
Released on: 09.05.2023
Components: CA-UI5-CTR-BAL
Category: Program error
High7,1
3324285[CVE-2023-33991] Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management)
Priority: Correction with high priority
Released on: 13.06.2023
Components: CA-UI5-COR
Category: Program error
High8,2
3322800Update 1 to security note 3315971 - [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
Priority: Correction with medium priority
Released on: 13.06.2023
Components: CA-WUI-UI-TAG
Category: Program error
Medium6,1
3315971[CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
Priority: Correction with medium priority
Released on: 09.05.2023
Components: CA-WUI-UI-TAG
Category: Program error
Medium6,1
3102769[CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse
Priority: Correction with high priority
Released on: 14.12.2021
Components: KM-KW-HTA
Category: Program error
High8,8
3142092[CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer)
Priority: Correction with medium priority
Released on: 08.02.2022
Components: LO-MD-BP
Category: Program error
Medium6,5
1794761[CVE-2023-32115] SQL Injection in Master Data Synchronization (MDS COMPARE TOOL)
Priority: Correction with medium priority
Released on: 23.05.2023
Components: AP-MD-BF-SYN
Category: Program error
Medium4,2
3301942[CVE-2023-2827] Missing Authentication in SAP Plant Connectivity and Production Connector for SAP Digital Manufacturing
Priority: Correction with high priority
Released on: 23.05.2023
Components: MFG-PCO-DMC
Category: Program error
High7,9
Senior SAP Developer Singapore
As a Senior SAP Developer, you will be responsible for designing, developing, and maintaining SAP solutions while leading and guiding a team of developers. You will play a crucial role in the development of standard products, and your technical expertise and communication skills will be instrumental in ensuring the success of our projects. This role demands strong leadership, technical acumen, and the ability to collaborate effectively in an international development team.
Earlier this year, IBM presented its 18th edition of ‘The Cost of a Data Breach Report’ (you can find it here). This publication provides detailed and valuable insights into various factors related to data breaches. It is based on research carried out at 553 impacted organizations - any IT security professional should check it out. In this article, we will highlight some of this report’s findings and bring them into the context of SAP security.
We're hiring a financial controller/analyst
As a Controller/Financial Analyst at SecurityBridge, you will play a crucial role in managing and optimizing financial processes, ensuring accurate reporting, and providing strategic financial insights. This is an exciting opportunity for a detail-oriented professional to contribute to the financial success of the fastest-growing cybersecurity provider for SAP systems.