Skip to content

SAP Security Patch Day – May 2023

SAP security Patch day

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©

Today is another SAP Security Patch Day, the 5th of the year! In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Another SNote, 3117978 – [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service) was once more updated.

Besides the updated notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects. 

SAP Patch Management

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Before we dive into the highlights of the monthly recurring SAP Security Patch Day, which takes place every second Tuesday, we want to show you a way to make your SAP system resilient. An SAP system that is protected not only by reactive security measures but by a strategic and holistic approach can achieve a state of cyber resilience.

We covered the topic of SAP Cyber Resilience in this blog article.

In summary, it is not about achieving a better security posture through reactive individual measures, but through a multi-layered approach that combines the security domains of system hardening and continuous compliance monitoring, timely patching of security vulnerabilities, and real-time monitoring. Customers who analyze and fix vulnerabilities in their own ABAP/4 developments also close these -often unknown- attack vectors.

When it comes to the question of whether SAP Cyber Resilience protects against zero-day vulnerabilities, there are different opinions. What is correct, however, is that the intelligent combination of defense lines leads to the early detection of even a zero-day vulnerability that is exploited by the attacker in combination with other vulnerabilities or even prevents it from working altogether. Please feel free to contact us if you would like to learn more about this topic.

SAP Security Patches May 2023

Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

SAP has released 20 security updates in the May 2023 Security Patch Day, out of which six (6) are Security Notes for SAP Business Objects.

We highly recommend all customers of this product line to review and apply all relevant security patches. The highest CVSS score of 9.1 is assigned to Patch 3307833, which addresses [CVE-2023-28762] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Console).

A HotNews patch (3328495) has been released for multiple vulnerabilities associated with the Reprise License Manager 14.2 component, used with the SAP 3D Visual Enterprise License Manager. The Reprise License Manager is a third-party software component that provides license management services for various applications, including the SAP 3D Visual Enterprise product. It allows software vendors to manage their licensing models and provides end-users with a way to activate, manage, and track their licenses. The Reprise License Manager has been found to have vulnerabilities in the past, which can be exploited by attackers to gain unauthorized access to systems or steal sensitive information. Therefore, it’s important to apply the latest security patches for this component to ensure the security of your systems.

In addition, there are seven (7) Security Patches with Priority High and various others classified as Medium. We strongly suggest reviewing all security patches, even those with a lower priority, as a successful attack typically consists of the exploitation of a chain of existing vulnerabilities.

Summary by Severity

The May release contains a total of 20 patches for the following severities:

SeverityNumber
Hot News
3
High
7
Medium
7
Low
3
NoteDescriptionSeverityCVSS
3117978[CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service)
Priority: Correction with low priority
Released on: 11.04.2023
Components: BC-SRV-AIF
Category: Program error
Low3,1
3326210[CVE-2023-30743] Improper Neutralization of Input in SAPUI5
Priority: Correction with high priority
Released on: 09.05.2023
Components: CA-UI5-CTR-BAL
Category: Program error
High7,1
3315979[CVE-2023-29188] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI
Priority: Correction with medium priority
Released on: 09.05.2023
Components: CA-WUI-CON
Category: Program error
Medium5,4
3309935[CVE-2023-30741] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform
Priority: Correction with medium priority
Released on: 09.05.2023
Components: BI-BIP-INV
Category: Program error
Medium6,1
3313484[CVE-2023-30740] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform
Priority: Correction with medium priority
Released on: 09.05.2023
Components: BI-BIP-INV
Category: Program error
Medium6,3
3328495Multiple vulnerabilities associated with Reprise License Manager 14.2 component used with SAP 3D Visual Enterprise License Manager
Priority: HotNews
Released on: 09.05.2023
Components: CA-VE
Category: Program error
Hot News9,8
3317453[CVE-2023-30744] Improper access control during application start-up in SAP AS NetWeaver JAVA
Priority: Correction with high priority
Released on: 09.05.2023
Components: BC-JAS-EJB
Category: Program error
High8,2
3315971[CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
Priority: Correction with medium priority
Released on: 09.05.2023
Components: CA-WUI-UI-TAG
Category: Program error
Medium6,1
3307833[CVE-2023-28762] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Console)
Priority: HotNews
Released on: 09.05.2023
Components: BI-BIP-SRV
Category: Program error
Hot News9,1
3323415[CVE-2023-29080] Privilege escalation vulnerability in SAP IBP, add-in for Microsoft Excel
Priority: Correction with high priority
Released on: 09.05.2023
Components: SCM-IBP-XLS
Category: Program error
High8,2
3320467[CVE-2023-32113] Information Disclosure vulnerability in SAP GUI for Windows
Priority: Correction with high priority
Released on: 09.05.2023
Components: BC-FES-GUI
Category: Program error
High7,5
3320145Denial of service (DOS) in SAP Commerce
Priority: Correction with high priority
Released on: 09.05.2023
Components: CEC-COM-CPS-OTH
Category: Program error
High7,5
3319400[CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform
Priority: Correction with medium priority
Released on: 09.05.2023
Components: BI-BIP-INV
Category: Program error
Medium6,1
3302595[CVE-2023-28764] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform
Priority: Correction with low priority
Released on: 09.05.2023
Components: BI-BIP-IDT
Category: Program error
Low3,7
3300624[CVE-2023-32111] Memory Corruption vulnerability in SAP PowerDesigner (Proxy)
Priority: Correction with high priority
Released on: 09.05.2023
Components: BC-SYB-PD
Category: Program error
High7,5
3312892[CVE-2023-31407] Cross-Site Scripting (XSS) vulnerability in SAP Business Planning and Consolidation
Priority: Correction with medium priority
Released on: 09.05.2023
Components: EPM-BPC-NW-DOC
Category: Program error
Medium5,4
2335198[CVE-2023-32112] Missing Authorization Check in Vendor Master Hierarchy
Priority: Correction with low priority
Released on: 09.05.2023
Components: LO-MD-BP-VM
Category: Program error
Low2,8
3321309Information Disclosure vulnerability in SAP Commerce (Backoffice)
Priority: Correction with high priority
Released on: 09.05.2023
Components: CEC-COM-CPS-OTH
Category: Program error
High7,5
2622660Security updates for the browser control Google Chromium delivered with SAP Business Client
Priority: HotNews
Released on: 10.04.2018
Components: BC-FES-BUS-DSK
Category: Program error
Hot News10,0
3038911[CVE-2023-31404] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Service)
Priority: Correction with medium priority
Released on: 09.05.2023
Components: BI-BIP-ADM
Category: Program error
Medium5,0
Senior SAP Developer Singapore
As a Senior SAP Developer, you will be responsible for designing, developing, and maintaining SAP solutions while leading and guiding a team of developers. You will play a crucial role in the development of standard products, and your technical expertise and communication skills will be instrumental in ensuring the success of our projects. This role demands strong leadership, technical acumen, and the ability to collaborate effectively in an international development team.
Earlier this year, IBM presented its 18th edition of ‘The Cost of a Data Breach Report’ (you can find it here). This publication provides detailed and valuable insights into various factors related to data breaches. It is based on research carried out at 553 impacted organizations - any IT security professional should check it out. In this article, we will highlight some of this report’s findings and bring them into the context of SAP security.
We're hiring a financial controller/analyst
As a Controller/Financial Analyst at SecurityBridge, you will play a crucial role in managing and optimizing financial processes, ensuring accurate reporting, and providing strategic financial insights. This is an exciting opportunity for a detail-oriented professional to contribute to the financial success of the fastest-growing cybersecurity provider for SAP systems.