SAP Patch Day: October 2023
Highlights of October SAP Security Notes analysis include:
- October Summary – Nine new and updated SAP security patches released, including one HotNews Note
- SAP Business Client Update – Chromium fixes that require special attention
- Log Injection in SAP NW AS Java – Complete fix requires two patches
SAP has published nine new and updated Security Notes in its October Patch Day (including the notes that were released or updated since September’s Patch Tuesday). This includes one Hot News Note.
SAP’s October Patch Day was extremely calm. The only Hot News Note is an update of SAP Security Note #2622660 which provides regular patches for SAP Business Client, including the latest tested Chromium patches. The rest of the published SAP Security Notes are of Medium Priority.
HotNews Note #2622660 in Detail
SAP Business Client customers already know that updates of this note always contain important fixes that must be addressed. The newest update of the note references thirty-seven Chromium fixes including two Priority Critical and twenty Priority High issues. The two critical patches address CVE-2023-4863 which describes a bug in the WebP Codec image rendering library (libwebp). The WebP Codec library is a library used to encode and decode images in WebP format, and is not unique to Chrome but rather utilized by Chromium and incorporated in many other applications like Firefox, Edge, Opera, Signal, and Telegram. According to Google, the vulnerability can already be exploited by displaying a crafted image. Google states to be aware that exploits for CVE-2023-4863 already exist in the wild. This also applies to the High Priority issue CVE-2023-5217 that was patched with Chromium 117.0.5938.132. In the context of SAP Business Client, the maximum CVSS score that SAP has identified for all new Chromium fixes is 8.8.
About SAP Security Note #3371873
SAP Security Note #3371873, tagged with a CVSS score of 5.3, is an update on note #3324732 that was initially released by SAP on July’s Patch Day. Both notes patch a Log Injection vulnerability in SAP NetWeaver AS for Java that was reported to SAP by the Onapsis Research Labs earlier this year. Unlike many other updates, the update note #3371873 does not completely replace the initial patch. Customers need to implement both notes to be fully protected. While the initial note #3324732 contains patches for all three affected software components (ENGINEAPI, SERVERCORE, and J2EE-APPS), note #3371873 only updates the ENGINEAPI component since the #3324732 patch for this component was incomplete.
Summary and Conclusion
With only nine SAP Security Notes and no new Hot News or High Priority Note, SAP’s October Patch Day belongs to the calmest Patch Days of the last 5 years. Although SAP has rated the newly patched Chromium vulnerabilities in the context of SAP Business Client with a maximum CVSS score of 8.8, we strongly recommend checking the available resources for other affected applications running on your business or personal PC since the vulnerabilities put your front ends at risk.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance, ensuring customers can stay ahead of ever-evolving threats and protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, view The Defenders Digest–our monthly video recap of ERP security news.