Today is June’s SAP Security Patch Day, an important date for SAP customers as they receive the latest security patches from SAP’s Security & Response teams. According to SAP, 8 new Security Notes have been released. Additionally, there have been 5 updates to previously released Security Notes (source: SAP Digital Library). Our experts have reviewed a total of 13 SAP Security Notes published in June. It is essential for organizations to stay informed about these updates and ensure they apply all necessary patches to maintain the security of their SAP systems. You can find the full list of published notes in this section of the article.
Let’s take a closer look at the highlights of the June SAP Security Patch Day, an established practice for organizations, occurring every second Tuesday of the month. Ensuring the resilience of your SAP system against cyber threats requires diligent Patch Management, which should never be neglected.
SAP Security Patches June 2023
The highest CVSS (Common Vulnerability Scoring System) rating for the current SAP Security Patch Day is 8.2. This rating is attributed to SAP Security Note 3324285, which addresses the CVE-2023-33991 vulnerability titled “Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management)”. This vulnerability impacts a wide range of SAP_UI component versions, with the exception of SAP_UI 758, which already includes the necessary correction. Exploiting this vulnerability could allow a threat actor with user-level access to read data from the server. Successful attacks have the potential to jeopardize the integrity and confidentiality of the system.
It is crucial for organizations to promptly apply the necessary patches to mitigate the risks associated with this vulnerability and safeguard their SAP systems from potential breaches. By staying proactive in addressing security vulnerabilities, organizations can enhance their overall security posture and protect their critical business operations.
In addition to the aforementioned highlights, the Change and Transport System in SAP NetWeaver has also received attention in the June SAP Security Patch Day. Although it was assigned a low priority, Security Note 3325642 addresses a vulnerability that prevents a potential Denial of Service (DoS) attack.
This particular vulnerability can be exploited by an authenticated attacker with administrative privileges. The attacker can repeatedly execute a benchmark program with the intention of slowing down or completely halting the SAP Transport Management function. While the impact of this vulnerability is generally minor during normal operations, it could potentially be exploited to disrupt time-sensitive project go-lives.
While this vulnerability may not be considered critical, it is important for organizations to apply the corresponding patch provided by SAP. By doing so, organizations can mitigate the risk of potential DoS attacks and ensure the smooth functioning of their SAP Transport Management processes, preventing any disruptions to critical projects. Maintaining a proactive approach to patch management is crucial in maintaining the security and stability of SAP systems.
Summary by Severity
The June release contains a total of 13 patches for the following severities: