Overview
SAP’s security patch day for November 2023 has seen the release of five OSS SAP security notes. Two notes have been classified as critical and three as medium based on CVSS v3.0 Rating.
Two notes have been released for:
- SAP NetWeaver AS JAVA
In addition, single notes have been released for:
- SAP NetWeaver AS ABAP
- SAP Business One
- SAP CommonCryptoLib
Vulnerabilities: November 2023 Highlights
[CVE-2023-40309] Missing Authorisation check in SAP CommonCryptoLib (SAP Note 3340576)
SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorisation checks for an authenticated user, resulting in escalation of privileges.
[CVE-2023-31403] Improper Access Control vulnerability in SAP Business One product installation (SAP Note 3355658)
SAP Business One installation does not perform proper authentication and authorization checks for SMB shared folder. As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by the installation process leading to considerable impact on confidentiality, integrity, and availability.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
