limkedin Skip to main content
Blog

SAP Patch Tuesday overview for April 2023

By 11 April 2023No Comments

A review, best practices and tips and tricks for this months’ SAP Security patches – Fixing SAP vulnerabilities.  

Patch

A new month, a new SAP Security Patch Tuesday! The 2nd Tuesday in the month where SAP releases their patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally, or by external researchers such as Protect4S’ own researchers. All trying to improve SAP’s product security and have SAP customers run their SAP systems more secure.  

As always, customers should assess the list of released SAP Security notes and apply them where applicable according to their SAP Vulnerability Management process and procedures. This month, counting from the last Patch Tuesday, there are a total of 24 new and updated SAP Security notes. 5 of these have the highest HotNews rating (CVSS 9 or higher). See a summary below for the highest rated notes.  

  • SAP Business Client: Note 2622660 is a regularly returning SAP security note concerning Google Chromium and is relevant for customers that have deployed SAP Business Client. In this April 2023 update, patches concerned have a CVSS of 8,8 and should be assessed for installation. See also our previous blog about this particular note. 
  • SAP Diagnostics agent: Note 3305369 describes 2 Remote Code Execution (RCE) vulnerabilities with a CVSS score of 9 and 10. This concerns remote execution on the operating system of the connected diagnostics agents of a SAP Solution Manager system. CVE-2023-27497 is only relevant for MS Windows operating systems, CVE-2023-27267 for all operating system types. 
  • Exploitation can lead to complete compromise of confidentiality, integrity and availability of the system. It is imperative to apply the fixes supplied for this by SAP, there is no workaround. See FAQ note 3309989 for additional information. 
  • SAP NetWeaver AS Java: Note 3273480 is an existing note with a CVSS of 9,9 that has been released before in 2022. It is updated with additional patch information for 7.50 SP0026. Customers should confirm whether this patch applies to their landscape. 
  • SAP Business Objects: Note 3298961 describes potential loss of passwords from the so-called lcmbiar file by bypassing its encryption. Passwords of BI users can be retrieved from it and potentially lead to complete compromise of the system. It is therefore rated with CVSS 9,8. There is a patch available and otherwise a workaround is given in the note description to (partly) mitigate this risk. 
  • SAP ABAP platform: Note 3294595 with CVSS 9,6 has been updated with a better description of the workaround. If the vulnerability was already fixed with the patch, further actions are probably not necessary.  
  • SAP ABAP platform: Note 3305907 describes a so-called ‘Directory Traversal vulnerability’ and has a high CVSS rating of 8,7. The vulnerability described can lead to potential overwriting of system files and render the system unavailable as a result. Applying the note or the corresponding support package mitigates this risk.  

At the moment of writing, there are no public exploits available to our knowledge for the above-mentioned notes. A total of 24 notes have been released this month: 20 new ones and 4 updates to older notes or additions to last month’s Patch Tuesday. A breakdown by priority can be found below: 

image - SAP Patch Tuesday overview for April 2023

For organisations using SAP software it is important to have a process and procedures in place that ensures that every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below (These are new and updated notes released after last months’ patch Tuesday): 

SAP Security note # Description CVSS v3 Score Priority 
2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client 10 HotNews 
3305369 [CVE-2023-27497] Multiple vulnerabilities in SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector) 10 HotNews 
3273480 [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search) 9,9 HotNews 
3298961 [CVE-2023-28765] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management ) 9,8 HotNews 
3294595 [CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform 9,6 HotNews 
3305907 [CVE-2023-29186] Directory Traversal vulnerability in SAP NetWeaver ( BI CONT ADD ON) 8,7 High 
3312733 [CVE-2023-26458] Information Disclosure vulnerability in SAP Landscape Management 6,8 Medium 
3311624 [CVE-2023-29187] DLL Hijacking vulnerability in SapSetup (Software Installation Program) 6,7 Medium 
3289994 [CVE-2023-28761] Missing Authentication check in SAP NetWeaver Enterprise Portal 6,5 Medium 
3296378 [CVE-2023-28763] – Denial of Service in SAP NetWeaver AS for ABAP and ABAP Platform 6,5 Medium 
3290901 [CVE-2023-24528] Missing Authorization Check in SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) 6,5 Medium 
3275458 [CVE-2023-27499] Cross-Site Scripting (XSS) vulnerability in SAP GUI for HTML 6,1 Medium 
3309056 [CVE-2023-27897] Code Injection vulnerability in SAP CRM Medium 
3269352 [CVE-2023-29189] HTTP Verb Tampering vulnerability in SAP CRM (WebClient UI) 5,4 Medium 
3000663 [CVE-2021-33683] HTTP Request Smuggling in SAP Web Dispatcher and Internet Communication Manager 5,4 Medium 
3303060 [CVE-2023-29185] Denial of Service (DOS) in SAP NetWeaver AS for ABAP (Business Server Pages) 5,3 Medium 
3287784 [CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service 5,3 Medium 
3315312 [CVE-2023-29108] IP filter vulnerability in ABAP Platform and SAP Web Dispatcher Medium 
3316509 Remote Code Execution vulnerability in SAP Commerce 4,7 Medium 
3115598 [CVE-2023-29109] Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard) 4,4 Medium 
3301457 [CVE-2023-1903] Missing Authorization check in SAP HCM Fiori App My Forms (Fiori 2.0) 4,3 Medium 
3113349 [CVE-2023-29110] Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard) 3,7 Low 
3114489 [CVE-2023-29112] Code Injection vulnerability in SAP Application Interface Framework (Message Monitoring) 3,7 Low 
3117978 [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service) 3,1 Low 

For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn and our YouTube channel!