October 10, 2023 at 10:48AM
German software maker SAP has released a total of seven new and two updated security notes as part of its October 2023 Security Patch Day. The most severe note updates the Chromium browser in SAP Business Client, fixing 37 vulnerabilities, including two critical ones. One critical flaw, CVE-2023-4863, is already being exploited and organizations are advised to check for this vulnerability in their software. Another updated note addresses a log injection flaw in NetWeaver. The remaining notes address medium-severity bugs. This Patch Day is notably calmer compared to the previous five years.
From the meeting notes, it is clear that German software maker SAP has released a total of nine security notes as part of its October 2023 Security Patch Day. These notes include updates and patches for various vulnerabilities and flaws in SAP products.
The most severe security note addresses vulnerabilities in the Chromium browser in SAP Business Client. This update includes fixes for 37 vulnerabilities, including two critical and 20 high-severity ones. It is important for organizations to check all their software for the presence of these vulnerabilities and apply the available patches.
One of the critical flaws mentioned is CVE-2023-4863, which is an already exploited bug in the libwebp image rendering library. This vulnerability has been causing concern among vendors, and it is advised to patch all applications that use libwebp.
Another vulnerability addressed is CVE-2023-5217, which has also been exploited and for which patches were released by Google in September. It has been added to CISA’s Known Exploited Vulnerabilities catalog.
SAP has also released an updated security note that addresses a log injection flaw in NetWeaver. This vulnerability, tracked as CVE-2023-31405, was initially patched in July 2023. However, customers need to implement both the initial patch and the update to be fully protected, as the update only addresses the ENGINEAPI component.
The remaining seven security notes in SAP’s advisory deal with medium-severity bugs. These include issues such as cross-site scripting (XSS), missing XML validation, server-side request forgery (SSRF), missing authorization check, log injection, and information disclosure bugs affecting various SAP products.
Overall, this Patch Day is considered to be one of the calmest in the past five years in terms of severity.
Full Article – https://ift.tt/l3UkI6G