November 14, 2023

SAP Security Patch Day – November 2023

Posted by

Gert-Jan Koster

Find recent Security Advisories for SAP©

SAP has released another set of Security Patches on this SAP Security Patch Day for November. Like last month, the number of patches is relatively low, with only 3 new Security Notes and 3 updates to notes that have been earlier released. However, this is no reason to take these updates lightly, as 2 notes have a priority ‘HotNews’ and any Security Note should always be carefully analyzed.

Patch Management remains a challenge for many organizations. The SecurityBridge Patch Management solution helps to gain insight on and manage the implementation of missing patches across the SAP landscape. With its granular presentation of relevant details and implementation support, it is an essential toolkit to manage patches effectively.

SAP Security Patches November 2023

Let’s explore the November 2023 release further, first by looking at the 2 ‘HotNews’ notes. In SAP terms, ‘HotNews,’ refers to CVSS scores from 9.1 to 10.

SAP CommonCryptoLib and SAP Business One

SAP note 3340576 was released before in September 2023 and has been updated, mainly with new solution information for HANA 2.0. See note 3351741 and 3332084 for more information. Be aware that the CommonCryptoLib library is used in various components, so take special care to update CommonCryptoLib completely in your landscape!

SAP note 3355658 describes an Access Control vulnerability that can have considerable impact to SAP Business One systems. There is no workaround available so it is essential to apply the mentioned patch as soon as possible. See note 3400236 for further details.

Notes with ‘Medium’ severity

Note 3333426: additional fixes have been provided for NW Java 7.50 SP24 and SP25.
Note 2494184: updated since 2018, do cross-check renewed applicability for SAP Sybase products.
Note 3362849: requires a kernel patch for the ICM component but only for ABAP based systems.
Note 3366410: requires patching on NW Java sytems only.

Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

SAP Security Notes November 2023

The November release contains a total of 6 patches for the following severities:

Severity	Number
Hot News	2
High	0
Medium	4

Note	Description	Severity	CVSS
3340576	[CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib Priority: HotNews Released on: 12.09.2023 Components: BC-IAM-SSO-CCL Category: Program error	Hot News	9.8
3355658	[CVE-2023-31403] Improper Access Control vulnerability in SAP Business One product installation Priority: HotNews Released on: 14.11.2023 Components: SBO-CRO-SEC Category: Program error	Hot News	9.6
3333426	[CVE-2023-42477] Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application) Priority: Correction with medium priority Released on: 10.10.2023 Components: BC-JAS-ADM-MON Category: Program error	Medium	6.5
2494184	Cross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products Priority: Correction with medium priority Released on: 08.08.2017 Components: BC-SYB-SQA Category: Program error	Medium	6.3
3362849	[CVE-2023-41366] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Priority: Correction with medium priority Released on: 14.11.2023 Components: BC-CST-IC Category: Program error	Medium	5.3
3366410	[CVE-2023-42480] Information Disclosure in NetWeaver AS Java Logon Priority: Correction with medium priority Released on: 14.11.2023 Components: BC-JAS-SEC Category: Program error	Medium	5.3

Senior SAP Developer (ABAP/4 and SAPUI5 Fiori) – Singapore

Careers

As a Senior SAP Developer, you will be responsible for designing, developing, and maintaining SAP solutions while leading and guiding a team of developers. You will play a crucial role in the development of standard products, and your technical expertise and communication skills will be instrumental in ensuring the success of our projects. This role demands strong leadership, technical acumen, and the ability to collaborate effectively in an international development team.

Countering Data Breaches – An Urgent Call for Action

SAP Cybersecurity

Earlier this year, IBM presented its 18th edition of ‘The Cost of a Data Breach Report’ (you can find it here). This publication provides detailed and valuable insights into various factors related to data breaches. It is based on research carried out at 553 impacted organizations - any IT security professional should check it out. In this article, we will highlight some of this report’s findings and bring them into the context of SAP security.

How can AI help improve your SAP Security posture?

SAP Vulnerability

This blog explores AI's role in SAP Security, security platform challenges and the need for system hardening.

Financial Controller

Careers

As a Controller/Financial Analyst at SecurityBridge, you will play a crucial role in managing and optimizing financial processes, ensuring accurate reporting, and providing strategic financial insights. This is an exciting opportunity for a detail-oriented professional to contribute to the financial success of the fastest-growing cybersecurity provider for SAP systems.

SAP Security Patch Day – November 2023

SAP Security Patches November 2023

SAP CommonCryptoLib and SAP Business One

Notes with ‘Medium’ severity

SAP Security Notes November 2023

Senior SAP Developer (ABAP/4 and SAPUI5 Fiori) – Singapore

Countering Data Breaches – An Urgent Call for Action

How can AI help improve your SAP Security posture?

Financial Controller

Product

Features

Company

Contact Us

Follow Us