SAP Security Notes – November 2023 - Safe O'Clock

SAP Security Notes – November 2023

November 15, 2023

On the 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes.

There were 3 updates to previously released Security Notes.

 

Notes by severity

 

HotNews 2
Correction with high priority 0
Correction with medium priority 4
Correction with low priority 0

Highlights


On November Patch Day SAP presents 2 high-severity HotNews Notes.

 

There are quite a few Notes released and updated so we will highlight and break down both HotNews and main Medium priority Notes released alike.

 

We will start with 3340576 Note critical update from October patch day – Missing Authorization check in SAP CommonCryptoLib – with a CVSS Score of 9.8.
SAP CommonCryptoLib fails to conduct required authentication checks, which may result in missing or incorrect permission checks for an authenticated user, resulting in privilege escalation. Depending on the program and the amount of access obtained, an attacker could read, edit, or delete restricted data as well as exploit capabilities restricted to a certain user group.

The Note was re-released with updated ‘Solution’ information.

Then we have the second HotNews Security Note 3355658 released – Improper Access Control vulnerability in SAP Business One product installation – with a CVSS Score of 9.6.
The installation of SAP Business One does not execute sufficient authentication and authorization checks for SMB shared folders. As a result, any malicious user has access to this folder. Furthermore, the files in the folder can be executed or used by the installation process, which has a significant influence on confidentiality, integrity, and availability.
This Note covers the vulnerability of SAP Business One version 10. Every user utilizing this recent major update should pay close attention to this correction based on the high severity of the Note.

The next Medium priority Note to describe will be 3333426Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application) – with a CVSS Score of 6.5.
The SAP NetWeaver AS Java GRMG Heartbeat application allows an attacker to send a forged request from a vulnerable web application, with limited impact on the application’s confidentiality and integrity.
This note has been re-released with updated ‘Support Packages & Patches’ information with the fix provided in the packages SP024 and SP025, as well as designed to support NetWeaver AS Java version 7.50.

The last to highlight will be Note 2494184 for Sybase products – Cross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products – with a CVSS Score of 6.3.
An attacker could utilize the SAP Sybase Cockpit, SAP Control Center (SCC), SQL Anywhere Monitor, and SQL Anywhere On Demand Edition Cloud Console management tools to deceive an authenticated user into sending an unwanted request to the web server. This vulnerability is caused by a lack of CSRF protection.
This note has been re-released with updated ‘Reason and Prerequisites’ and ‘Solution’ information. Users of Sybase Products like SAP SQL Anywhere or SAP IQ just like other Sybase products mentioned should utilize the updated solution presented.

Summary

 

SAP Component Number Description Priority CVSS CVSS Vector
BC-IAM-SSO-CCL 3340576 [CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SBO-CRO-SEC 3355658 [CVE-2023-31403] Improper Access Control vulnerability in SAP Business One product installation HotNews 9.6 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-JAS-ADM-MON 3333426 [CVE-2023-42477] Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application) medium 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
BC-SYB-SQA 2494184 Cross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products medium 6.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
BC-CST-IC 3362849 [CVE-2023-41366] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
BC-JAS-SEC 3366410 [CVE-2023-42480] Information Disclosure in NetWeaver AS Java Logon medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – February 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes. There were […]

Read more
SAP Security Notes – January 2024

On the 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP Security Notes – December 2023

On the 12th of December 2023, SAP Security Patch Day saw the release of 15 new Security Notes. There were […]

Read more
SAP Security Notes – November 2023

On the 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK