What was released during SAP's October 2023 Security Patch Day?

SAP unveiled seven security notes and updated two existing ones during its October 2023 Security Patch Day. The majority of these, seven in total, are of medium severity.

Which was the most urgent security note?

The most urgent of these security notes pertains to the Chromium browser integrated into SAP's Business Client. This update encompasses 37 separate fixes, including two deemed critical and twenty considered of high-severity.

Which vulnerabilities were addressed in the fixes?

SAP addressed the libwep vulnerability CVE-2023-4863 which lies in the image rendering software and has already seen active exploitation. Additionally, the update rectifies CVE-2023-5217, a distinct vulnerability in video library libvpx that had been previously flagged and fixed by Google in September.

What does SAP's second updated security note focus on?

SAP's second refreshed security note this week concentrates on a log injection vulnerability within NetWeaver, identified as CVE-2023-31405. Originally patched in July 2023, the updated note specifically addresses the ENGINEAPI component due to an incomplete initial remedy.

What kind of issues do the balance of the security notes attend to?

The remaining seven security notes, all of medium severity, address various issues such as cross-site scripting (XSS), server-side request forgery (SSRF), missing authorization checks, and more. They impact several SAP products like BusinessObjects, PowerDesigner Client, and S/4HANA.

Advisory

SAP issues October 2023 advisories for their products

published: Oct. 10, 2023

Take action: Not a terrible patch this month. You can probably get away just by applying the fixes for libwebp and libvpx. The most important one is the libwebp patch, because everything and everyone parses .webp image files that can now be malicious.

Learn More

SAP unveiled seven security notes and updated two existing ones as a segment of its October 2023 Security Patch Day. The balance of the security notes, seven in total, are of medium severity, so not terrible.

The most urgent of these security notes pertains to the Chromium browser integrated into SAP's Business Client. This update encapsulates 37 separate fixes, inclusive of two deemed critical and twenty considered of high-severity.

As part of the fixes, SAP has addressed the libwep vulnerability CVE-2023-4863. This flaw lies in the image rendering software and has already seen active exploitation.

This particular also serves to rectify CVE-2023-5217, a distinct vulnerability in video librarly libvpx that had previously been flagged and fixed by Google in September

Furthermore, SAP's second refreshed security note this week is concentrated on a log injection vulnerability within NetWeaver. Identified as CVE-2023-31405 and holding a CVSS score of 5.3, this issue was originally patched in July 2023. However, Onapsis specifies that this updated security note doesn't supplant the original patch in its entirety. To ensure complete protection, clients should enact both the original and the update. The revised patch particularly pertains to the ENGINEAPI component, as its original remedy was found lacking.

The balance of the security notes, seven in total, are of medium severity. These notes attend to various issues like cross-site scripting (XSS), server-side request forgery (SSRF), and missing authorization checks, among others. They affect an array of SAP products, including but not limited to BusinessObjects, PowerDesigner Client, and S/4HANA.

SAP issues October 2023 advisories for their products

Read More
CISA reports active exploitation of critical vulnerability in …
QNAP fixes critical authentication flaw in it's QTS, …
FortiWeb authentication bypass flaw allows admin impersonation
SAP Security Patch Day April 2026: Critical SQL …
Dell patches multiple Unity flaws, at least one …