The SAP Security Notes for November 2023 featured a critical “Hot News” patch for a missing authentication vulnerability in SAP Business One, which registered a 9.6 CVSS score. Other key updates addressed a Cross-Site Request Forgery (CSRF) vulnerability in SAP Sybase and two separate information disclosure issues in SAP NetWeaver ABAP and Java servers.
This advisory summarizes the most important patches released by SAP in November 2023. The month was highlighted by a critical vulnerability in SAP Business One that allowed for improper access control. Additional medium-priority patches were released to fix information disclosure vulnerabilities in SAP NetWeaver Application Server ABAP and Java, as well as an update for a CSRF flaw in SAP Sybase solutions. Organizations should review these notes to prioritize patching and secure their enterprise systems.
Key Takeaways for November 2023
- A critical missing authentication flaw (CVSS 9.6) was patched in SAP Business One.
- An updated note addressed a Cross-Site Request Forgery (CSRF) vulnerability impacting multiple SAP Sybase products.
- An information disclosure vulnerability was fixed in the Internet Communication Manager (ICM) of SAP NetWeaver AS ABAP.
- A separate information disclosure flaw in SAP NetWeaver AS Java allowed attackers to discover legitimate user IDs.
November 2023 SAP Security Note Summary
The following table provides a high-level summary of the key vulnerabilities addressed in the November 2023 SAP Security Patch Day.
| SAP Note | Product(s) Affected | Vulnerability Type | CVSS Score |
|---|---|---|---|
| 3355658 | SAP Business One | Missing Authentication / Improper Access Control | 9.6 (Critical) |
| 2494184 | SAP Sybase (ASE, IQ, Replication Server, etc.) | Cross-Site Request Forgery (CSRF) | Medium |
| 3362849 | SAP NetWeaver Application Server ABAP | Information Disclosure | 5.3 (Medium) |
| 3366410 | SAP NetWeaver Application Server Java | Information Disclosure | 5.3 (Medium) |
What was the critical vulnerability in SAP Business One? (Note 3355658)
Hot News note 3355658 patches a critical missing authentication check in SAP Business One, resulting in a CVSS score of 9.6. The vulnerability allowed anonymous, unauthenticated users to gain read and write access to SMB shared folders. This had a high impact on confidentiality, integrity, and availability. The affected components included the Crystal Reports (CR) shared folder, the Traditional Mobile app’s attachment path, and others. The correction modifies folder permissions to grant access only to authenticated and authorized users.
What vulnerability was addressed in SAP Sybase? (Note 2494184)
Note 2494184 was an updated note addressing a Cross-Site Request Forgery (CSRF) vulnerability. This issue impacts multiple SAP Sybase solutions, including ASE, Event Stream Processor IQ, Replication Server, and SQL Anywhere. A CSRF attack can trick an authenticated user’s browser into sending an unintended request to the web server, potentially allowing an attacker to perform actions on behalf of the user.
What vulnerabilities were patched in SAP NetWeaver?
Two separate information disclosure vulnerabilities in SAP NetWeaver were addressed.
Note 3362849 fixed an information disclosure vulnerability in the Internet Communication Manager (ICM) for SAP NetWeaver Application Server ABAP. This flaw could allow an unauthenticated attacker to access unintended data under certain conditions.
Note 3366410 patched a different information disclosure vulnerability, this time in SAP NetWeaver Application Server Java (version 7.50). This flaw allowed attackers to brute-force the Java Logon application to discover legitimate user IDs, impacting system confidentiality.
Frequently Asked Questions (FAQ)
What was the most critical SAP vulnerability in November 2023?
The most critical issue was a missing authentication check in SAP Business One, detailed in Hot News note 3355658. This vulnerability received a CVSS score of 9.6 out of 10 due to its high impact on confidentiality, integrity, and availability.
Which SAP products were affected by the November 2023 notes?
Key products affected by the most notable notes included SAP Business One, various SAP Sybase solutions (ASE, Event Stream Processor IQ, Replication Server, SQL Anywhere), and SAP NetWeaver Application Servers for both ABAP and Java.
What was the impact of the SAP Business One vulnerability?
The vulnerability allowed anonymous users to read and write to sensitive SMB shared folders. This could allow an attacker to access, modify, or delete data, or execute files used by the installation process.