Skip to content

SAP Security Patch Day – September 2023

SAP security Patch day

Posted by

Christoph Nagy

Find recent Security Advisories for SAP©

The SAP Security Patch Day returns in September. Today, September 12th, 2023 brings the release of SAP Security Patches for the extensive enterprise application portfolio developed by the Walldorf giant. SAP released 13 new Security Notes and provided 5 updates to previously released Security Notes.

In total, we see 5 updates attributed in the CVSS range for priority HotNews. While we traditionally focus our attention on the new releases, and not on the updates from previous patch days, this does not mean those can be neglected.

Patch Management for SAP is a crucial exercise that helps in managing the security posture of critical enterprise applications. While the effort is relatively low, the effects on security protection outweigh it.
Attributing individual patches to a specific system installation with high accuracy remains a challenge in many client environments. Therefore, we recommend utilizing the SecurityBridge Patch Management solution, which displays all absent patches throughout the technology stack, from the database to the application layer.

SAP Security Patches September 2023

Let’s explore the specifics of the September 2023 SAP Security Patch Day. To begin, let’s review the most critical security patches. These are known in the SAP vernacular as ‘Hot News,’ which includes CVSS scores ranging from 9.1 to 10.

Starting with the Hot News

While the September Patch Day lists a total of five (5) HotNews notes, only two (2) are new releases. First off, SNote 3320355 has a CVS Score of 9.9 and concerns an “Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management)”. Attacks exploiting vulnerable parts of the application can access sensitive information. Although the score indicates high risk, it is important to note that the attack can only be carried out by an authorized account. The scoring is justified because successful exploitation could cause severe harm and damage to the system.

The second HotNew SNote, 3340576, is described as having a “Missing Authorization check in SAP CommonCryptoLib.” 

Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

In relation to this note, we would like to mention that SNote 3327896 includes a correction for the SAP CommonCryptoLib. Only experienced SAP professionals will recall that CommonCryptoLib is the technical follow-up to the widely recognized SAP Cryptographic Library (SAPCRYPTOLIB). Although the patches provide a fix for vulnerabilities in the same components, the risk and exploitation methods are fundamentally different in nature.

Summary by Severity

The September release contains a total of 16 patches for the following severities:

SeverityNumber
Hot News
5
High
2
Medium
7
Low
2
NoteDescriptionSeverityCVSS
2622660Security updates for the browser control Google Chromium delivered with SAP Business Client
Priority: HotNews
Released on: 10.04.2018
Components: BC-FES-BUS-DSK
Category: Program error
Hot News10.0
3245526[CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC)
Priority: HotNews
Released on: 14.03.2023
Components: BI-BIP-CMC
Category: Program error
Hot News9.9
3320355[CVE-2023-40622] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management)
Priority: HotNews
Released on: 12.09.2023
Components: BI-BIP-LCM
Category: Program error
Hot News9.9
3273480[CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search)
Priority: HotNews
Released on: 13.12.2022
Components: BC-XI-CON-UDS
Category: Program error
Hot News9.9
3340576[CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib
Priority: HotNews
Released on: 12.09.2023
Components: BC-IAM-SSO-CCL
Category: Program error
Hot News9.8
3370490[CVE-2023-42472] Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
Priority: Correction with high priority
Released on: 12.09.2023
Components: BI-RA-WBI-FE
Category: Program error
High8.7
3327896[CVE-2023-40308] Memory Corruption vulnerability in SAP CommonCryptoLib
Priority: Correction with high priority
Released on: 12.09.2023
Components: BC-IAM-SSO-CCL
Category: Program error
High7.5
3357163[CVE-2023-40621] Code Injection vulnerability in SAP PowerDesigner Client
Priority: Correction with medium priority
Released on: 12.09.2023
Components: BC-SYB-PD
Category: Program error
Medium6.3
3317702[CVE-2023-40623] Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer)
Priority: Correction with medium priority
Released on: 12.09.2023
Components: BI-BIP-INS
Category: Program error
Medium6.2
3349805Denial of service (DOS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP Quotation Management Insurance (FS-QUO)
Priority: Correction with medium priority
Released on: 12.09.2023
Components: FS-QUO
Category: Program error
Medium5.7
3323163[CVE-2023-40624] Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering)
Priority: Correction with medium priority
Released on: 12.09.2023
Components: BC-WD-UR
Category: Program error
Medium5.5
3326361[CVE-2023-40625] Missing Authorization check in Manage Purchase Contracts App
Priority: Correction with medium priority
Released on: 12.09.2023
Components: MM-FIO-PUR-SQ-CON
Category: Program error
Medium5.4
3348142[CVE-2023-41367] Missing Authentication check in SAP NetWeaver (Guided Procedures)
Priority: Correction with medium priority
Released on: 12.09.2023
Components: BC-GP
Category: Program error
Medium5.3
3352453[CVE-2023-37489] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System)
Priority: Correction with medium priority
Released on: 12.09.2023
Components: BI-BIP-LCM
Category: Program error
Medium5.3
3369680[CVE-2023-41369] External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application)
Priority: Correction with low priority
Released on: 12.09.2023
Components: FI-FIO-AP
Category: Program error
Low3.5
3355675[CVE-2023-41368] Insecure Direct Object Reference (IDOR) vulnerability in SAP S/4HANA (Manage checkbook apps)
Priority: Correction with low priority
Released on: 12.09.2023
Components: FI-FIO-AP-CHK
Category: Program error
Low2.7
Senior SAP Developer Singapore
As a Senior SAP Developer, you will be responsible for designing, developing, and maintaining SAP solutions while leading and guiding a team of developers. You will play a crucial role in the development of standard products, and your technical expertise and communication skills will be instrumental in ensuring the success of our projects. This role demands strong leadership, technical acumen, and the ability to collaborate effectively in an international development team.
Earlier this year, IBM presented its 18th edition of ‘The Cost of a Data Breach Report’ (you can find it here). This publication provides detailed and valuable insights into various factors related to data breaches. It is based on research carried out at 553 impacted organizations - any IT security professional should check it out. In this article, we will highlight some of this report’s findings and bring them into the context of SAP security.
We're hiring a financial controller/analyst
As a Controller/Financial Analyst at SecurityBridge, you will play a crucial role in managing and optimizing financial processes, ensuring accurate reporting, and providing strategic financial insights. This is an exciting opportunity for a detail-oriented professional to contribute to the financial success of the fastest-growing cybersecurity provider for SAP systems.