SAP published seven new and two updated Security Notes for October 2023 Patch Tuesday. Relative to previous SAP Security Patch Day releases, this month’s release contains fewer patches overall and with lower than typical severity. Only one of these Security Notes received the HotNews maximum priority rating (CVSS scores ranging from 9.0 to 10.0). However, this is an update of a previously released Security Note. There are no new HotNews notes this month. Additionally, there are seven new and one updated Security Notes with a Medium Priority rating (CVSS scores ranging from 4.0 to 6.9). For this blog, we will focus on the four most critical Security Notes, three with a Medium Priority rating and one with a HotNews priority rating.
Security Note 2622660 is a regularly recurring patch. It provides “security updates for the browser control Google Chromium delivered with SAP Business Client.” This security note addresses numerous vulnerabilities in the third-party web browser control Chromium. Specifically, if the SAP business client release is not updated to the latest patch level, displaying web pages in SAP Business Client may lead to vulnerabilities related to memory corruption and Information Disclosure, among others. Identified impacts of these vulnerabilities include:
This month’s update includes revised ‘Solution’ information. Specifically, SAP recommends applying additional safeguards as described in the SAP Business Client documentation: SAP Business Client → SAP Business Client Administration Guide → Security Aspects → Security Settings for Browser Controls → Chromium.
This Security Note was first released in April 2018 and has been continuously updated. This month, it has been designated with a CVSS score of 8.8. Since this patch is recurring monthly as a HotNews Security Note, organizations may not feel the need to inspect and address this monthly note. However, if SAP Business Client is a relevant application within your SAP landscape, it is crucial to closely monitor and inspect this note each month for any important updates.
Security Note 3333426 – [CVE-2023-42477] received a CVSS score of 6.5 and addresses “Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat Application).” Specifically, SAP NetWeaver AS Java Heartbeat application allows an attacker to send a crafted request from a vulnerable web application. If successfully exploited, this vulnerability could enable a threat actor to trick the application and gather sensitive information to be used in further attacks or exploits. If left unpatched, this could cause a limited impact on application confidentiality and integrity. As a solution, SAP allowed list-based validation of external server resource URLs and HTTP request headers. Additionally, SAP advises customers to update NetWeaver AS Java to SP, as this update resolves the problem. Customers should also see the “Validity” and “Support Packages and Patches” sections of this Security Note for specific details and available patches.
Security Note 3372991 – [CVE-2023-42474] received a CVSS score of 6.8 and addresses a “Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence.” SAP BusinessObjects Web Intelligence has a URL with parameters potentially vulnerable to an XSS attack. Specifically, a threat actor could send a malicious link to a user, potentially allowing an attacker to exfiltrate sensitive, confidential information. This vulnerability could lead to exploitation if left unpatched because the application does not sufficiently encode user-controlled inputs. As a solution, SAP removed the vulnerable parameter of the URL so that it cannot be used and exploited anymore.
Security Note 3357154 – [CVE-2023-40310] received a CVSS score of 6.5 and addresses a “Missing XML Validation vulnerability in SAP PowerDesigner Client (BPMN2 import).” SAP PowerDesigner Client does not sufficiently validate BPMN2 XML documents imported from an untrusted source. Because of this, URLs of external entities within the BPMN2 file used could be accessed during import (although not used). As a result, a successful exploitation of this vulnerability could impact the availability of SAP PowerDesigner Client. As a solution, SAP advises customers to upgrade to SAP PowerDesigner Client and proxy version 16.7 SP07 for these benefits:
As a temporary workaround, SAP advises customers to edit untrusted BPMN2 files to remove external entities markups prior to import.
Staying updated on the monthly Security Notes released for SAP Patch Tuesday is crucial to maintaining the security posture of the confidentiality, integrity, and availability (CIA) triad for your business-critical SAP applications. These patches address critical vulnerabilities that malicious actors continually attempt to exploit to compromise your organization’s data and operations. Neglecting this crucial component of SAP security can lead to costly data breaches, system downtime, and potential reputational damage. By establishing an effective monthly patch management plan, businesses can proactively protect themselves against cyber threats.
Pathlock’s Cybersecurity Application Controls (CAC) product enables customers to proactively streamline patch management and prioritization efforts through advanced automation to continuously detect critical vulnerabilities and system threat exposures. CAC’s advanced analytics and reporting capabilities deliver valuable insights into the most urgent patches, helping customer Basis teams allocate resources more efficiently, rapidly apply patches, and save time and money. Moreover, Pathlock CAC’s ABAP-native architecture ensures seamless integration with SAP standard solutions, enabling rapid customer adoption and minimal system downtime during patch deployment.
Pathlock empowers a comprehensive SAP cybersecurity strategy through five robust cybersecurity modules:
Pathlock is committed to helping our customers stay updated on the latest SAP Security Notes, so be sure to check back next month for the latest SAP Patch Tuesday release.
To see how Pathlock can help your organization, reach out to set up a demo today.
Share
The recent data breach at HealthEquity, a leading heal...
SAP published 16 new and three updated Security Notes for S...
SAP published 17 new and eight updated Security Notes for A...
SAP published 16 new and two updated Security Notes for Jul...