November 14, 2023

SAP Security Patch Day – November 2023

Posted by

Gert-Jan Koster

Find recent Security Advisories for SAP©

SAP has released another set of Security Patches on this SAP Security Patch Day for November. Like last month, the number of patches is relatively low, with only 3 new Security Notes and 3 updates to notes that have been earlier released. However, this is no reason to take these updates lightly, as 2 notes have a priority ‘HotNews’ and any Security Note should always be carefully analyzed.

Patch Management remains a challenge for many organizations. The SecurityBridge Patch Management solution helps to gain insight on and manage the implementation of missing patches across the SAP landscape. With its granular presentation of relevant details and implementation support, it is an essential toolkit to manage patches effectively.

SAP Security Patches November 2023

Let’s explore the November 2023 release further, first by looking at the 2 ‘HotNews’ notes. In SAP terms, ‘HotNews,’ refers to CVSS scores from 9.1 to 10.

SAP CommonCryptoLib and SAP Business One

SAP note 3340576 was released before in September 2023 and has been updated, mainly with new solution information for HANA 2.0. See note 3351741 and 3332084 for more information. Be aware that the CommonCryptoLib library is used in various components, so take special care to update CommonCryptoLib completely in your landscape!

SAP note 3355658 describes an Access Control vulnerability that can have considerable impact to SAP Business One systems. There is no workaround available so it is essential to apply the mentioned patch as soon as possible. See note 3400236 for further details.

Notes with ‘Medium’ severity

Note 3333426: additional fixes have been provided for NW Java 7.50 SP24 and SP25.
Note 2494184: updated since 2018, do cross-check renewed applicability for SAP Sybase products.
Note 3362849: requires a kernel patch for the ICM component but only for ABAP based systems.
Note 3366410: requires patching on NW Java sytems only.

SAP Security Notes November 2023

The November release contains a total of 6 patches for the following severities:

Severity	Number
Hot News	2
High	0
Medium	4

Note	Description	Severity	CVSS
3340576	[CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib Priority: HotNews Released on: 12.09.2023 Components: BC-IAM-SSO-CCL Category: Program error	Hot News	9.8
3355658	[CVE-2023-31403] Improper Access Control vulnerability in SAP Business One product installation Priority: HotNews Released on: 14.11.2023 Components: SBO-CRO-SEC Category: Program error	Hot News	9.6
3333426	[CVE-2023-42477] Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application) Priority: Correction with medium priority Released on: 10.10.2023 Components: BC-JAS-ADM-MON Category: Program error	Medium	6.5
2494184	Cross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products Priority: Correction with medium priority Released on: 08.08.2017 Components: BC-SYB-SQA Category: Program error	Medium	6.3
3362849	[CVE-2023-41366] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Priority: Correction with medium priority Released on: 14.11.2023 Components: BC-CST-IC Category: Program error	Medium	5.3
3366410	[CVE-2023-42480] Information Disclosure in NetWeaver AS Java Logon Priority: Correction with medium priority Released on: 14.11.2023 Components: BC-JAS-SEC Category: Program error	Medium	5.3