limkedin Skip to main content
Blog

SAP Patch Tuesday overview for May 2023 

A review, best practices and tips and tricks for this months’ SAP Security patches – Fixing SAP vulnerabilities. 

Patch

A new month, a new SAP Security Patch Tuesday! The 2nd Tuesday in the month where SAP releases patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally, or by external researchers such as Protect4S’ own researchers. All trying to improve SAP’s product security and have SAP customers run their SAP systems more secure.  

As always, customers should assess the list of released SAP Security notes and apply them where applicable according to their SAP Vulnerability Management process and procedures. This month, counting from the last Patch Tuesday, there are a total of 18 new and 7 updated SAP Security notes. 3 of these have the highest HotNews rating (CVSS 9 or higher), which is a lower number than previous months. See a summary below for the highest rated notes.  

  • SAP Business Client: Note 2622660 is a regularly returning SAP security note concerning Google Chromium and is relevant for customers that have deployed SAP Business Client. Also in this update of May 2023 there is a relevant update with patches concerned having a CVSS score of 9.8. Naturally, these should be assessed for installation. See also our previous blog about this particular note. 
  • SAP Reprise License Manager has web-interface related vulnerabilities when running version 14.2. This results in a CVSS score of 9.8, see note 3328495. The vulnerability can be fixed with an updated version of SAP 3D Visual Enterprise License Manager which allows installation without a web interface functionality. Note that there is a workaround to disable the web interface but applying the update is preferred. 
  • SAP Business Objects: Note 3307833 describes a vulnerability that can lead to impersonation of any user on the system and unavailability of the system as a whole. This vulnerability has a CVSS score of 9.1 and can only be fixed by applying the provided patches. This note servers also as an additional fix for earlier released security notes 3145769, 3213507, 3213524, 3233226 and 3217303. So make sure to implement note 3307833 to make sure all vulnerabilities have been fixed! 
  • SAP Commerce: 2 vulnerabilities have been identified with note 3320145 and 3321309 with a CVSS score of 7.5 impacting either the availability or confidentiality of the system. Determining required patches can be tricky, see the referred link for additional information about patch releases for SAP Commerce. 

At the moment of writing, there are no public exploits available to our knowledge for the above-mentioned notes. A total of 25 notes have been released this month: 18 new ones and 7 updates to older notes or additions to last month’s Patch Tuesday. A breakdown by priority can be found below: 

image - SAP Patch Tuesday overview for May 2023 

For organisations using SAP software it is important to have a process and procedures in place that ensures that every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below (These are new and updated notes released after last months’ patch Tuesday): 

SAP Security note # Description CVSS v3 Score Priority 
2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client 10 HotNews 
3328495 Multiple vulnerabilities associated with Reprise License Manager 14.2 component used with SAP 3D Visual Enterprise License Manager 9.8 HotNews 
3307833 [CVE-2023-28762] Information disclosure vulnerabilities in SAP BusinessObjects Business Intelligence Platform 9.1 HotNews 
3213507 [CVE-2022-31596] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Monitoring DB) 8.2 High 
3317453 [CVE-2023-30744] Improper access control during application start-up in SAP AS NetWeaver JAVA 8.2 High 
3323415 [CVE-2023-29080] Privilege escalation vulnerability in SAP IBP, add-in for Microsoft Excel 8.2 High 
3217303 [CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC) 7.7 High 
3320467 [CVE-2023-32113] Information Disclosure vulnerability in SAP GUI for Windows 7.5 High 
3320145 Denial of service (DOS) in SAP Commerce 7.5 High 
3300624 [CVE-2023-32111] Memory Corruption vulnerability in SAP PowerDesigner (Proxy) 7.5 High 
3321309 Information Disclosure vulnerability in SAP Commerce (Backoffice) 7.5 High 
3326210 [CVE-2023-30743] Improper Neutralization of Input in SAPUI5 7.1 High 
3233226 [CVE-2022-35296] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System) 6.8 Medium 
3313484 [CVE-2023-30740] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform 6.3 Medium 
3309935 [CVE-2023-30741] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform 6.1 Medium 
3315971 [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) 6.1 Medium 
3319400 [CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform 6.1 Medium 
3213524 [CVE-2022-32244] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Commentary DB) Medium 
3315979 [CVE-2023-29188] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI 5.4 Medium 
3312892 [CVE-2023-31407] Cross-Site Scripting (XSS) vulnerability in SAP Business Planning and Consolidation 5.4 Medium 
3145769 [CVE-2022-27667] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC) 5.3 Medium 
3038911 [CVE-2023-31404] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Service) Medium 
3302595 [CVE-2023-28764] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence platform 3.7 Low 
3117978 [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service) 3.1 Low 
2335198 [CVE-2023-32112] Missing Authorization Check in Vendor Master Hierarchy 2.8 Low 

For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn and our YouTube channel!