Take action: The users of SAP Business One should plan for a quick patch, as well as re-deployment of the patch for CommonCryptoLib in various systems. If your SAP system is visible from the internet, act immediately. Otherwise, plan the patch in the next cycle but don't delay.
The SAP Security Patch Day for November 2023 announced the release of six security notes, including three fresh notices and three revisions of previous ones.
- The most critical issue, dubbed as a "hot news" item, concerns an improper access control flaw in the SAP Business One product. This vulnerability, tracked as CVE-2023-31403 (CVSS3 score 9.6), affects the authentication and authorization process for the SMB shared folder in SAP Business One version 10.0. The vulnerability allows a malicious actor to read, write, and execute files in the SMB shared folder, potentially leading to significant impacts on the confidentiality, integrity, and availability of the system.
- Another major issue is updated from the September 2023 Patch involves the SAP CommonCryptoLib. This vulnerability, tracked as CVE-2023-40309 (CVSS score 9.8), pertains to a missing authorization check that could lead to privilege escalation. Attackers could potentially exploit this to perform actions or access data that should be restricted to certain user groups.
- The security patch day addresses four medium-severity issues. The details of these vulnerabilities have been consolidated under the SAP Security Note #3355658.
As of the latest update, there are no known exploits of these vulnerabilities in the wild.