Navigating SAP Security Notes: October 2023 Patch Tuesday

SAP published seven new and two updated Security Notes for October 2023 Patch Tuesday. Relative to previous SAP Security Patch Day releases, this month’s release contains fewer patches overall and with lower than typical severity. Only one of these Security Notes received the HotNews maximum priority rating (CVSS scores ranging from 9.0 to 10.0). However, this is an update of a previously released Security Note. There are no new HotNews notes this month. Additionally, there are seven new and one updated Security Notes with a Medium Priority rating (CVSS scores ranging from 4.0 to 6.9). For this blog, we will focus on the four most critical Security Notes, three with a Medium Priority rating and one with a HotNews priority rating.

HotNews Security Notes

Security Note 2622660 is a regularly recurring patch. It provides “security updates for the browser control Google Chromium delivered with SAP Business Client.” This security note addresses numerous vulnerabilities in the third-party web browser control Chromium. Specifically, if the SAP business client release is not updated to the latest patch level, displaying web pages in SAP Business Client may lead to vulnerabilities related to memory corruption and Information Disclosure, among others. Identified impacts of these vulnerabilities include:

• System information disclosure or even system crash in worst-case scenarios.
• Potential direct impacts on system confidentiality, availability, and integrity.
• Exfiltrated information can be leveraged to initiate other attacks, with potentially severe and compounding consequences.

This month’s update includes revised ‘Solution’ information. Specifically, SAP recommends applying additional safeguards as described in the SAP Business Client documentation: SAP Business Client → SAP Business Client Administration Guide → Security Aspects → Security Settings for Browser Controls → Chromium.

This Security Note was first released in April 2018 and has been continuously updated. This month, it has been designated with a CVSS score of 8.8. Since this patch is recurring monthly as a HotNews Security Note, organizations may not feel the need to inspect and address this monthly note. However, if SAP Business Client is a relevant application within your SAP landscape, it is crucial to closely monitor and inspect this note each month for any important updates.

Newly Released Medium Priority Security Notes

Security Note 3333426 – [CVE-2023-42477] received a CVSS score of 6.5 and addresses “Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat Application).” Specifically, SAP NetWeaver AS Java Heartbeat application allows an attacker to send a crafted request from a vulnerable web application. If successfully exploited, this vulnerability could enable a threat actor to trick the application and gather sensitive information to be used in further attacks or exploits. If left unpatched, this could cause a limited impact on application confidentiality and integrity. As a solution, SAP allowed list-based validation of external server resource URLs and HTTP request headers. Additionally, SAP advises customers to update NetWeaver AS Java to SP, as this update resolves the problem. Customers should also see the “Validity” and “Support Packages and Patches” sections of this Security Note for specific details and available patches.

Security Note 3372991 – [CVE-2023-42474] received a CVSS score of 6.8 and addresses a “Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Web Intelligence.” SAP BusinessObjects Web Intelligence has a URL with parameters potentially vulnerable to an XSS attack. Specifically, a threat actor could send a malicious link to a user, potentially allowing an attacker to exfiltrate sensitive, confidential information. This vulnerability could lead to exploitation if left unpatched because the application does not sufficiently encode user-controlled inputs. As a solution, SAP removed the vulnerable parameter of the URL so that it cannot be used and exploited anymore.

Security Note 3357154 – [CVE-2023-40310] received a CVSS score of 6.5 and addresses a “Missing XML Validation vulnerability in SAP PowerDesigner Client (BPMN2 import).” SAP PowerDesigner Client does not sufficiently validate BPMN2 XML documents imported from an untrusted source. Because of this, URLs of external entities within the BPMN2 file used could be accessed during import (although not used). As a result, a successful exploitation of this vulnerability could impact the availability of SAP PowerDesigner Client. As a solution, SAP advises customers to upgrade to SAP PowerDesigner Client and proxy version 16.7 SP07 for these benefits:

• A fixed XML pre-processor that is securely configured by default so that external entities are not allowed as part of the BPMN2 input document.
• Added BPMN2 import DTD processing configurations – including white-listing known trusted sources – see: installed default “bpmn2config.xml configuration file.

As a temporary workaround, SAP advises customers to edit untrusted BPMN2 files to remove external entities markups prior to import.

The Importance of Proactive and Timely Patching

Staying updated on the monthly Security Notes released for SAP Patch Tuesday is crucial to maintaining the security posture of the confidentiality, integrity, and availability (CIA) triad for your business-critical SAP applications. These patches address critical vulnerabilities that malicious actors continually attempt to exploit to compromise your organization’s data and operations. Neglecting this crucial component of SAP security can lead to costly data breaches, system downtime, and potential reputational damage. By establishing an effective monthly patch management plan, businesses can proactively protect themselves against cyber threats.

How Pathlock Can Help

Pathlock’s Cybersecurity Application Controls (CAC) product enables customers to proactively streamline patch management and prioritization efforts through advanced automation to continuously detect critical vulnerabilities and system threat exposures. CAC’s advanced analytics and reporting capabilities deliver valuable insights into the most urgent patches, helping customer Basis teams allocate resources more efficiently, rapidly apply patches, and save time and money. Moreover, Pathlock CAC’s ABAP-native architecture ensures seamless integration with SAP standard solutions, enabling rapid customer adoption and minimal system downtime during patch deployment.

Pathlock empowers a comprehensive SAP cybersecurity strategy through five robust cybersecurity modules:

• Vulnerability and Code Scanning
• Threat Detection and Response
• Transport Control
• Dynamic Data Masking
• Session Logging and Data Loss Prevention (DLP)

Pathlock is committed to helping our customers stay updated on the latest SAP Security Notes, so be sure to check back next month for the latest SAP Patch Tuesday release.

To see how Pathlock can help your organization, reach out to set up a demo today.