Skip to content

SAP Security Patch Day – November 2023

SAP security Patch day

Posted by

Gert-Jan Koster

Find recent Security Advisories for SAP©

SAP has released another set of Security Patches on this SAP Security Patch Day for November. Like last month, the number of patches is relatively low, with only 3 new Security Notes and 3 updates to notes that have been earlier released. However, this is no reason to take these updates lightly, as 2 notes have a priority ‘HotNews’ and any Security Note should always be carefully analyzed.

Patch Management remains a challenge for many organizations. The SecurityBridge Patch Management solution helps to gain insight on and manage the implementation of missing patches across the SAP landscape. With its granular presentation of relevant details and implementation support, it is an essential toolkit to manage patches effectively. 


SAP Security Patches November 2023

Let’s explore the November 2023 release further, first by looking at the 2 ‘HotNews’ notes. In SAP terms, ‘HotNews,’ refers to CVSS scores from 9.1 to 10.

SAP CommonCryptoLib and SAP Business One

SAP note 3340576 was released before in September 2023 and has been updated, mainly with new solution information for HANA 2.0. See note 3351741 and 3332084 for more information. Be aware that the CommonCryptoLib library is used in various components, so take special care to update CommonCryptoLib completely in your landscape!

SAP note 3355658 describes an Access Control vulnerability that can have considerable impact to SAP Business One systems. There is no workaround available so it is essential to apply the mentioned patch as soon as possible. See note 3400236 for further details.

Notes with ‘Medium’ severity

  • Note 3333426: additional fixes have been provided for NW Java 7.50 SP24 and SP25.
  • Note 2494184: updated since 2018, do cross-check renewed applicability for SAP Sybase products. 
  • Note 3362849: requires a kernel patch for the ICM component but only for ABAP based systems.
  • Note 3366410: requires patching on NW Java sytems only. 
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

SAP Security Notes November 2023

The November release contains a total of 6 patches for the following severities:

Hot News
3340576[CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib
Priority: HotNews
Released on: 12.09.2023
Components: BC-IAM-SSO-CCL
Category: Program error
Hot News9.8
3355658[CVE-2023-31403] Improper Access Control vulnerability in SAP Business One product installation
Priority: HotNews
Released on: 14.11.2023
Components: SBO-CRO-SEC
Category: Program error
Hot News9.6
3333426[CVE-2023-42477] Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application)
Priority: Correction with medium priority
Released on: 10.10.2023
Components: BC-JAS-ADM-MON
Category: Program error
2494184Cross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products
Priority: Correction with medium priority
Released on: 08.08.2017
Components: BC-SYB-SQA
Category: Program error
3362849[CVE-2023-41366] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 14.11.2023
Components: BC-CST-IC
Category: Program error
3366410[CVE-2023-42480] Information Disclosure in NetWeaver AS Java Logon
Priority: Correction with medium priority
Released on: 14.11.2023
Components: BC-JAS-SEC
Category: Program error
Senior SAP Developer Singapore
As a Senior SAP Developer, you will be responsible for designing, developing, and maintaining SAP solutions while leading and guiding a team of developers. You will play a crucial role in the development of standard products, and your technical expertise and communication skills will be instrumental in ensuring the success of our projects. This role demands strong leadership, technical acumen, and the ability to collaborate effectively in an international development team.
Earlier this year, IBM presented its 18th edition of ‘The Cost of a Data Breach Report’ (you can find it here). This publication provides detailed and valuable insights into various factors related to data breaches. It is based on research carried out at 553 impacted organizations - any IT security professional should check it out. In this article, we will highlight some of this report’s findings and bring them into the context of SAP security.
We're hiring a financial controller/analyst
As a Controller/Financial Analyst at SecurityBridge, you will play a crucial role in managing and optimizing financial processes, ensuring accurate reporting, and providing strategic financial insights. This is an exciting opportunity for a detail-oriented professional to contribute to the financial success of the fastest-growing cybersecurity provider for SAP systems.