- 294/2023
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple products.
SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products such as SAP CommonCryptoLib, SAP Content Server, SAP Business One, SAP SQL Anywhere, SAP ASE Cluster Edition, SAP NetWeaver, SAP Event Stream Processor, and SAP Replication Server.
The attacker could exploit some of these vulnerabilities to gain privileges, bypass security, or obtain Information.
Sample of the addressed vulnerabilities:
1. SAP CommonCryptoLib Privilege Escalation Vulnerability (CVE-2023-40309):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Privileges
2. SAP Business One Security Bypass Vulnerability (CVE-2023-31403):
- CVSS: 9.6
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.
SAP Security Patch Day November 2023