October 2023 SAP security updates addressed several critical and high-priority vulnerabilities, most notably a privilege escalation flaw in the SAP Common Cryptographic Library. Administrators are advised to update their systems, specifically applying Note 3340576, to secure impacted products including SAP NetWeaver, S/4HANA, and the SAP HANA Database.
The October 2023 SAP security patch cycle targeted a range of vulnerabilities across the SAP ecosystem, including critical authorization issues and common web-based exploits. The most significant update, Note 3340576, fixes a missing authorization check in the Common Cryptographic Library (CommonCryptoLib) that could allow attackers to escalate privileges. This library is foundational to many SAP products, including SAP NetWeaver AS ABAP and Java, S/4HANA, and the SAP HANA Database. Other updates addressed Server-Side Request Forgery (SSRF) in the GRMG Heartbeat application and log injection vulnerabilities within the AS Java Log Viewer. Additionally, security teams must address Cross-Site Scripting (XSS) and XML validation issues affecting SAP BusinessObjects and SAP PowerDesigner Client. Organizations should prioritize these updates to mitigate risks of unauthorized access and system compromise.
Key Takeaways
- Update to CommonCryptoLib 8.5.50 or higher to fix a critical privilege escalation vulnerability (Note 3340576).
- Patch the GRMG Heartbeat application in SAP NetWeaver AS Java to prevent Server-Side Request Forgery (Note 3333426).
- Implement encoding and validation for the AS Java Log Viewer to address log injection (Notes 3324732 and 3371873).
- Remediate XSS and XML validation flaws in SAP BusinessObjects and SAP PowerDesigner Client (Notes 3372991 and 3357154).
What is the critical CommonCryptoLib vulnerability?
The critical vulnerability in CommonCryptoLib, tracked under Note 3340576, is a missing authorization check that could enable attackers to escalate privileges. This library is installed across multiple SAP products, including SAP NetWeaver AS ABAP, SAP NetWeaver AS Java, the ABAP Platform of S/4HANA on-premise, SAP HANA Database, SAP Web Dispatcher, and SAP Host Agent. To address this, organizations must install CommonCryptoLib 8.5.50 or higher by upgrading the relevant software components to the recommended versions.
How to fix the GRMG Heartbeat SSRF vulnerability?
Note 3333426 addresses a Server-Side Request Forgery (SSRF) vulnerability in the GRMG Heartbeat application of SAP NetWeaver AS Java. This flaw could lead to information disclosure that attackers might use to perform further attacks against AS Java. The update impacts support packs 25 and 26 for the software component LM-CORE.
How to address log injection in AS Java?
Notes 3324732 and 3371873 address a log injection vulnerability found in the Log Viewer of AS Java. The patches specified in these notes implement encoding and validation for user input to mitigate the risk in the impacted components.
What are the XSS and XML validation updates?
Notes 3372991 and 3357154 provide patches for Cross-Site Scripting (XSS) and missing XML validation vulnerabilities, respectively. These updates target SAP BusinessObjects and SAP PowerDesigner Client.
Summary of October 2023 SAP Security Notes
The following table summarizes the key vulnerabilities addressed in the October 2023 release.
| SAP Security Note | Vulnerability Type | Impacted Component / Product |
|---|---|---|
| 3340576 | Missing Authorization Check | CommonCryptoLib |
| 3333426 | Server-Side Request Forgery | GRMG Heartbeat (AS Java) |
| 3324732, 3371873 | Log Injection | Log Viewer (AS Java) |
| 3372991 | Cross-Site Scripting | SAP BusinessObjects |
| 3357154 | Missing XML Validation | SAP PowerDesigner Client |
Frequently Asked Questions
How do I address the critical CommonCryptoLib vulnerability?
You should install CommonCryptoLib 8.5.50 or higher. This is achieved by upgrading the specific software components of your impacted SAP products to the versions recommended in Note 3340576.
Which SAP products are impacted by the CommonCryptoLib flaw?
The flaw impacts SAP NetWeaver AS ABAP, SAP NetWeaver AS Java, the ABAP Platform of S/4HANA on-premise, SAP HANA Database, SAP Web Dispatcher, and SAP Host Agent.
Where can I find the latest SAP security advisories?
You can find ongoing updates and threat reports at the Threat Reports & Advisories page provided by Layer Seven Security.