limkedin Skip to main content

SAP Patch Tuesday overview for June 2023 

A review, best practices and tips and tricks for this months’ SAP Security patches – Fixing SAP vulnerabilities.  


A new month, a new SAP Security Patch Tuesday! The 2nd Tuesday in the month where SAP releases patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally, or by external researchers such as Protect4S’ own researchers. All trying to improve SAP’s product security and have SAP customers run their SAP systems more secure.  

As always, customers should assess the list of released SAP Security notes and apply them where applicable according to their SAP Vulnerability Management process and procedures. This month, counting from the last Patch Tuesday, there are a total of 6 new and 7 updated SAP Security notes. So that is a lower number than previous months. Also, none of the released notes have the highest HotNews rating (CVSS 9 or higher). That is no reason to take the released security notes lightly though. See a summary below for the highest rated notes.  

  • SAP Knowledge Warehouse: Note 3102769 is not new but has been re-released with updated information regarding releases 7.31 and 7.40. CVSS is 8.8, make sure the applied patches in relevant systems are still sufficient or consider the workaround that is mentioned in note 3221696.  
  • SAP UI5: Note 3324285 describes a Cross-Site Scripting (XSS) vulnerability. Many other security notes this month concern XSS as well, this vulnerability has a CVSS of 8.2. It is fixed as of the mentioned SAPUI5 versions in the note. For further information about patching SAPUI5, see our blog here
  • SAP Plant Connectivity: Note 3301942 describes a vulnerability in the validation of the Jason Web Token (JWT). A workaround can be achieved on network level by limiting access to the Plant Connectivity / Production Connector component. Patching is required for a definitive fix. The suggestion to apply network access restrictions from unnecessary networks is solid advice in any case. 
  • SAP UI5: Note 3326210 has been updated with new solution and workaround information. CVSS score still is 7.1, make sure all systems are still sufficient with mentioned levels.  

At the moment of writing, there are no public exploits available to our knowledge for the above-mentioned notes. A breakdown by priority can be found below: 

image - SAP Patch Tuesday overview for June 2023 

For organisations using SAP software it is important to have a process and procedures in place that ensures that every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below (These are new and updated notes released after last months’ patch Tuesday): 

SAP Security note # Description CVSS v3 Score Priority 
3102769 [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse 8.8 High 
3324285 [CVE-2023-33991] Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management) 8.2 High 
3301942 [CVE-2023-2827] Missing Authentication in SAP Plant Connectivity and Production Connector for SAP Digital Manufacturing 7.9 High 
3326210 [CVE-2023-30743] Improper Neutralization of Input in SAPUI5 7.1 High 
3142092 [CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer) 6.5 Medium 
3318657 [CVE-2023-33984] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Design Time Repository) 6.4 Medium 
3319400 [CVE-2023-31406] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform 6.1 Medium 
2826092 [CVE-2023-33986] Cross-Site Scripting (XSS) vulnerability in SAP CRM ABAP (Grantor Management) 6.1 Medium 
3331627 [CVE-2023-33985] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver (Enterprise Portal) 6.1 Medium 
3322800 Update 1 to security note 3315971 – [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) 6.1 Medium 
3315971 [CVE-2023-30742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) 6.1 Medium 
1794761 [CVE-2023-32115] SQL Injection in Master Data Synchronization (MDS COMPARE TOOL) 4.2 Medium 
3325642 [CVE-2023-32114] Denial of Service in SAP NetWeaver (Change and Transport System) 2.7 Low 

For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn and our YouTube channel!