What does the SAP Patch release for September 2023 include?

The SAP Patch release for September 2023 includes significant updates and security enhancements to SAP software. These updates address vulnerabilities in various SAP products, with a particular focus on SAP BusinessObjects and SAP CommonCryptoLib.

What is the breakdown of critical and high-severity notes among these Security Notes?

Among the eighteen SAP Security Notes, five are critical and two are of high severity.

What are some critical HotNews Notes mentioned?

Critical HotNews Notes include #3245526 (CVSS score 9.9), addressing a Code Injection vulnerability in SAP BusinessObjects, and #3340576 (CVSS score 9.8), addressing missing authorization checks in SAP CommonCryptoLib.

What are the high-severity notes mentioned?

High-severity notes include SAP Security Note #3370490 (CVSS score 8.7), which patches an Insufficient File Type Validation vulnerability in the Web Intelligence HTML interface of SAP BusinessObjects Business Intelligence Platform.

Advisory

SAP Patches multiple critical and high severity issues in their products

Q: Were there specific patches dedicated to SAP BusinessObjects?

Yes, there were five patches specifically dedicated to SAP BusinessObjects, including four Critical Notes and one High-severity Note.

Q: What is the significance of SAP Security Note #2622660?

SAP Security Note #2622660 provides an update for SAP Business Client, including essential Chromium patches. This update brings support for Chromium version 116.0.5845.97 and fixes a total of sixty-seven vulnerabilities, including one Critical and thirty-one High Priority vulnerabilities.

published: Sept. 12, 2023

Take action: Even SAP says that the critical patches are not difficult to implement. So plan a systematic implementation if you are using SAP Business Objects

Learn More

SAP Patch release for September 2023 brings significant updates and security enhancements to SAP software. These patches addressed vulnerabilities in various SAP products, with a focus on SAP BusinessObjects and SAP CommonCryptoLib.
A total of eighteen new and updated SAP Security Notes were issued during this Patch Day. These notes included five critical and two high severity notes

Five patches were specifically dedicated to SAP BusinessObjects, including four Critical Notes and one High severity Note. The most notable update is SAP Security Note #2622660, which provides an update for SAP Business Client, including essential Chromium patches. This update brings support for Chromium version 116.0.5845.97, fixing a total of sixty-seven vulnerabilities, including one Critical and thirty-one High Priority vulnerabilities.

Critical notes

HotNews Note #3245526 (CVSS score 9.9): This note addresses a Code Injection vulnerability in SAP BusinessObjects initially released in March 2023. It was updated with the latest patch levels.
HotNews Note #3273480 (CVSS score 9.9): This note is an update necessitated by the accidental deletion of the Security Note. No customer action is required.
SAP Security Note #3320355 (CVSS score 9.9): This is a new HotNews Note for SAP BusinessObjects. It addresses an Information Disclosure vulnerability in the Promotion Management component. Successful exploitation could lead to a complete compromise of the application. SAP recommends granting appropriate rights for accessing and performing promotions using Promotion Management as a workaround.
SAP Security Note #3340576 (CVSS score 9.8): Another new HotNews Note addresses missing or incorrect authorization checks in SAP CommonCryptoLib, which could result in privilege escalation and, in the worst case, complete compromise of the affected application.

High Severity Notes

Apart from HotNews Notes, High Priority Notes were also issued. Notably, SAP Security Note #3370490 (CVSS score 8.7) patches an Insufficient File Type Validation vulnerability in the Web Intelligence HTML interface of SAP BusinessObjects Business Intelligence Platform. It could potentially allow attackers to read and modify sensitive data, impacting confidentiality and integrity.

Patching Effort
SAP advises that despite the high number of security notes, the patching effort is manageable. Two HotNews Notes require minor updates that do not demand customer actions. Implementing SAP BusinessObjects and SAPCryptoLib notes should not require excessive effort.

SAP Patches multiple critical and high severity issues in their products

Read More
SAP April 2025 Patch day releases patches for …
Adobe releases May 2025 patches for multiple products
Week after repored critical issue, Apache OFBiz actively …
Apache OfBiz patches two flaws, one critical
IBM reports multiple flaws in Cognos Analytics, at …