SAP Patches for May 2023
Take action: The SAP patch package for May is significant and quite complex, but for users of SAP products it's important to review in detail beacuse of three critical severity vulnerabilities being patched with the release.
Learn More
May SAP Security Notes informs of the release of twenty-five new and updated SAP security patches, which include three HotNews Notes and nine High Priority Notes. It is important to pay close attention to critical vulnerabilities found in the web interface of SAP 3D Visual Enterprise License Manager.
One of the HotNews Notes is the regularly recurring SAP Security Note #2622660, providing an update for SAP Business Client with the latest supported Chromium patches. The new version of SAP Business Client, now supporting Chromium version 112.0.5615.121, addresses a total of twenty-six vulnerabilities, including thirteen High Priority vulnerabilities. The maximum CVSS value for the fixed vulnerabilities is 9.8. Version 112.0.5615.121 was an emergency security update by Google, fixing a critical vulnerability tracked as CVE-2023-2033. Google confirmed the existence of an exploit for CVE-2023-2033 in the wild. According to NIST's description of the flaw, this vulnerability allows a remote attacker to potentially exploit heap corruption through a crafted HTML page.
Two of the High Priority SAP Notes, #3217303 and #3213507, are part of a series of five SAP Security Notes initially released in 2022, addressing Information Disclosure vulnerabilities in SAP BusinessObjects. The update states that HotNews Note #3307833 replaces these five notes. Further details can be found in the following HotNews section.
Details on the New HotNews Notes
SAP Security Note #3328495, with a CVSS score of 9.8, fixes five vulnerabilities in version 14.2 of the Reprise License Manager (RLM) component used with SAP 3D Visual Enterprise License Manager. Refer to the table provided in the original source for a summary of the patched vulnerabilities. Additional details can be found in the referenced CVE and CWE links.
The SAP Note recommends updating SAP 3D Visual Enterprise License Manager to version 15.0.1-sap2. However, it appears that disabling the affected RLM web interface is the crucial step to address the issues, as the recommended patch was already released in January 2023. Disabling the web interface is described as a potential workaround. Nonetheless, it is always advisable to keep all components up-to-date. The update process offers an option to apply the latest version with the web interface disabled, thus replacing the manual steps that would otherwise be required.
SAP Security Note #3307833, with a CVSS score of 9.1, includes multiple patches for Information Disclosure vulnerabilities in SAP BusinessObjects Business Intelligence Platform. The most critical vulnerability in this note allows an authenticated attacker with administrator privileges to obtain the login token of any logged-in BI user or server over the network without user interaction. This allows the attacker to impersonate any user on the platform, leading to unauthorized access and data modification. The system may also become partially or entirely unavailable. Note #3307833 also replaces SAP Security Notes #3217303, #3145769, #3213524, #3213507, and #3233226. All these notes were initially released in 2022 and were updated on SAP's May Patch Day. The update provides two important
