- 219/2023
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple products. In addition, SAP also announced (5) updates to the previously released patch day security notes.
This month’s patch fixes several vulnerabilities affecting multiple SAP products such as SAP Business Objects Business Intelligence Platform (Promotion Management), SAP CommonCryptoLib, SAP PowerDesignerClient, SAP Quotation Management Insurance (FS-QUO), SAP NetWeaver AS ABAP, S4CORE (Manage Purchase Contracts App), S4 HANA ABAP (Manage checkbook apps), SAPHost Agent and SAPExtended Application Services and Runtime (XSA).
The attacker could exploit some of these vulnerabilities to gain access, execute arbitrary code, bypass security restrictions, obtain sensitive information, or perform denial of service attacks.
Sample of the addressed vulnerabilities:
1. SAP BusinessObjects Business Intelligence Platform Information Disclosure (CVE-2023-40622):
- CVSS: 9.9
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Obtain Information
2. SAP CommonCryptoLib Missing Authorization Check (CVE-2023-40309):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.