Navigating SAP Security Notes: November 2023 Patch Tuesday

SAP published three new and three updated Security Notes for November 2023 Patch Tuesday. Like last month, this month’s release is relatively quiet in terms of number of patches and severity. Only two Security Notes received the HotNews maximum priority rating (CVSS scores ranging from 9.0 to 10.0). One HotNews note is new, and one is an update to Security Note 3340576, which was initially released on SAP’s September Patch Day. Additionally, two new and two updated Security Notes have a Medium Priority rating (CVSS scores ranging from 4.0 to 6.9). For this blog, we will focus on the four most critical Security Notes, two with a Medium Priority rating and two with a HotNews Priority rating.

Newly Released HotNews Security Note

Security Note 3355658 – [CVE-2023-31403] received a CVSS score of 9.6. It patches an “Improper Access Control vulnerability in SAP Business One product installation.” The SAP Business One installation process allows anonymous users read and write access to the SMB shared folder. Impacted components are:

• The Crystal Report (CR) shared folder.
• Traditional Mobile app (attachment path).
• RSP (log folder logic).
• Job Service.
• BAS (file upload folder).

If successfully exploited, this vulnerability could result in unauthorized access, and the files in the folder can be executed or used by the installation process. If left unpatched, there will be considerable impact on system confidentiality, integrity, and availability. As a solution, SAP modified the SMB shared folder permissions to only allow read and write access to authenticated and authorized users. SAP also made necessary code changes and enforced strict access controls to maintain auditability and traceability of activities in the shared folder and SAP Business One 10.0 SP2308 Security Hotfix.

Although this Security Note provides a hotfix for SAP Business One 10.0 SP2308, this vulnerability can still potentially impact installations on lower levels of support packages. With SAP not providing a temporary workaround, customers must update their installation to SP2308 to implement the provided hotfix. Customers can find the patches on the SAP ONE Support launchpad.

Updated HotNews Security Note

Security Note 3340576 – [CVE-2023-40309] was initially released on SAP’s September 2023 Patch Day and was updated for this month’s release. This note received a CVSS score of 9.8 and addresses a “Missing Authorization check in SAP CommonCryptoLib.” Verifying JavaScript Web Tokens (JWT) and raw signatures may fail, resulting in missing or incorrect authorization checks in the calling application. This could lead to an unauthorized escalation of privileges. Depending on the application and the level of acquired privileges, threat actors could gain access to restricted data, modify or delete it, or even compromise the affected application entirely. As a solution, SAP advises customers to download and install CommonCryptoLib 8.5.50 (or higher) to correct this issue. This month’s update includes revised ‘Solution’ information and directions for patching specific components. Currently, there is no temporary workaround to mitigate this vulnerability.

Newly Released Medium Priority Security Notes

Security Note 3366410 – [CVE-2023-42480] received a CVSS score of 5.3 and addresses “Information Disclosure in NetWeaver AS Java Logon.” This vulnerability could enable an unauthenticated attacker in the NetWeaver AS Java Logon application to brute-force the login functionality and identify legitimate user IDs. If left unpatched, this vulnerability will impact system confidentiality but will not affect system integrity and availability. As a solution, SAP implemented a code fix to mitigate this vulnerability. SAP also suggests Updating NW Application Server Java to a release or SP where the problem is fixed. Customers should see the “Validity” and “Support Packages & Patches” sections of the Security Note for details and available patches. Customers should also check Security Note 1974464 to avoid system incompatibilities.

Security Note 3362849 – [CVE-2023-41366] received a CVSS score of 5.3 and patches an “Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform.” Under certain conditions, SAP NetWeaver Application Server ABAP allows an unauthenticated threat actor to access unintended data due to a lack of restrictions applied. This vulnerability affects the Internet Communication Manager (ICM) in SAP NetWeaver Application Server ABAP. If this vulnerability is left unpatched and is successfully exploited, there may be a low impact on application confidentiality but no impact on integrity and availability. As a solution, SAP provided a kernel patch to remediate the affected ICM component. Specific guidance on selecting and installing the kernel patch is included in this Security Note’s official documentation. This vulnerability does not affect SAP NetWeaver Application Server Java.

The Importance of Proactive and Timely Patching

Staying updated on the monthly Security Notes released for SAP Patch Tuesday is crucial to maintaining the security posture of the confidentiality, integrity, and availability (CIA) triad for your business-critical SAP applications. These patches address critical vulnerabilities that malicious actors continually attempt to exploit to compromise your organization’s data and operations. Neglecting this crucial component of SAP security can lead to costly data breaches, system downtime, and potential reputational damage. By establishing an effective monthly patch management plan, businesses can proactively protect themselves against cyber threats.

How Pathlock Can Help

Pathlock’s Cybersecurity Application Controls (CAC) product enables customers to proactively streamline patch management and prioritization efforts through advanced automation to continuously detect critical vulnerabilities and system threat exposures. CAC’s advanced analytics and reporting capabilities deliver valuable insights into the most urgent patches, helping customer Basis teams allocate resources more efficiently, rapidly apply patches, and save time and money. Moreover, Pathlock CAC’s ABAP-native architecture ensures seamless integration with SAP standard solutions, enabling rapid customer adoption and minimal system downtime during patch deployment.

Pathlock empowers a comprehensive SAP cybersecurity strategy through five robust cybersecurity modules:

• Vulnerability and Code Scanning
• Threat Detection and Response
• Transport Control
• Dynamic Data Masking
• Session Logging and Data Loss Prevention (DLP)

Pathlock is committed to helping our customers stay updated on the latest SAP Security Notes, so be sure to check back next month for the latest SAP Patch Tuesday release.

To see how Pathlock can help your organization, reach out to set up a demo today.