SAP November 2023 Security Patch Day includes three new and three updated security notes. The most severe “hot news” is an improper access control vulnerability, tracked as CVE-2023-31403 (CVSS score of 9.6), that impacts SAP Business One product installation.
“SAP Business One installation – version 10.0, does not perform proper authentication and authorization checks for SMB shared folder.” reads the advisory. “As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by the installation process leading to considerable impact on confidentiality, integrity and availability.”
The second Hot News is an update to a Security Note released on September 2023 Patch Day, the issue tracked as CVE-2023-40309 (CVSS score 9.8) is a missing authorization check in SAP CommonCryptoLib
“SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges.” reads the advisory. “Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.”
|2494184||Update||Cross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products BC-SYB-SQA||Medium||6,3|
|3355658||New||[CVE-2023-31403] Improper Access Control vulnerability in SAP Business One product installation SBO-CRO-SEC||Hot News||9,6|
|3362849||New||[CVE-2023-41366] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform BC-CST-IC||Medium||5,3|
|3366410||New||[CVE-2023-42480] Information Disclosure in NetWeaver AS Java Logon BC-JAS-SEC||Medium||5,3|
|3333426||Update||[CVE-2023-42477] Server-Side Request Forgery in SAP NetWeaver AS Java (GRMG Heartbeat application) BC-JAS-ADM-MON||Medium||6,5|
|3340576||Update||[CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib BC-IAM-SSO-CCL||Hot News||9,8|
At this time we are not aware of attacks in the wild exploiting these vulnerabilities.
(SecurityAffairs – hacking, SAP)