Today is another SAP Security Patch Day, the 5th of the year! In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Another SNote, 3117978 – [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service) was once more updated.
Besides the updated notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects.
Before we dive into the highlights of the monthly recurring SAP Security Patch Day, which takes place every second Tuesday, we want to show you a way to make your SAP system resilient. An SAP system that is protected not only by reactive security measures but by a strategic and holistic approach can achieve a state of cyber resilience.
We covered the topic of SAP Cyber Resilience in this blog article.
In summary, it is not about achieving a better security posture through reactive individual measures, but through a multi-layered approach that combines the security domains of system hardening and continuous compliance monitoring, timely patching of security vulnerabilities, and real-time monitoring. Customers who analyze and fix vulnerabilities in their own ABAP/4 developments also close these -often unknown- attack vectors.
When it comes to the question of whether SAP Cyber Resilience protects against zero-day vulnerabilities, there are different opinions. What is correct, however, is that the intelligent combination of defense lines leads to the early detection of even a zero-day vulnerability that is exploited by the attacker in combination with other vulnerabilities or even prevents it from working altogether. Please feel free to contact us if you would like to learn more about this topic.
SAP Security Patches May 2023
SAP has released 20 security updates in the May 2023 Security Patch Day, out of which six (6) are Security Notes for SAP Business Objects.
We highly recommend all customers of this product line to review and apply all relevant security patches. The highest CVSS score of 9.1 is assigned to Patch 3307833, which addresses [CVE-2023-28762] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Console).
A HotNews patch (3328495) has been released for multiple vulnerabilities associated with the Reprise License Manager 14.2 component, used with the SAP 3D Visual Enterprise License Manager. The Reprise License Manager is a third-party software component that provides license management services for various applications, including the SAP 3D Visual Enterprise product. It allows software vendors to manage their licensing models and provides end-users with a way to activate, manage, and track their licenses. The Reprise License Manager has been found to have vulnerabilities in the past, which can be exploited by attackers to gain unauthorized access to systems or steal sensitive information. Therefore, it’s important to apply the latest security patches for this component to ensure the security of your systems.
In addition, there are seven (7) Security Patches with Priority High and various others classified as Medium. We strongly suggest reviewing all security patches, even those with a lower priority, as a successful attack typically consists of the exploitation of a chain of existing vulnerabilities.
Summary by Severity
The May release contains a total of 20 patches for the following severities: