November 15, 2023 at 08:58AM
SAP has released three new and three updated security notes as part of its November 2023 Security Patch Day. The most important new note addresses a vulnerability in the Business One application, while the updated notes address various vulnerabilities in different SAP products. Customers are advised to apply the patches promptly.
In the meeting, SAP announced the release of three new security notes and three updated security notes as part of its November 2023 Security Patch Day. The most important of the new security notes addresses a vulnerability in the Business One enterprise resource planning application. This vulnerability, tracked as CVE-2023-31403 with a CVSS score of 9.6, involves an improper access control issue in the Business One product installation. It allows anonymous users to have read and write access to the SMB shared folder and affects components such as Crystal Report (CR) shared folder, Traditional Mobile app (attachment path), RSP (log folder logic), Job Service, and BAS (file upload folder). Onapsis, an enterprise application security firm, explains that the security note provides a hotfix for Business One version 10.0 SP 2308, and customers on lower support package (SP) levels are advised to update to SP 2308 and apply the provided hotfix.
The two other new security notes released by SAP address medium-severity information disclosure issues impacting NetWeaver Application Server ABAP and ABAP Platform, as well as NetWeaver AS Java Logon.
Regarding the updated security notes, the most important one addresses a critical-severity missing authorization check flaw in CommonCryptoLib, which affects multiple SAP products. SAP initially patched this vulnerability in September 2023 and has now updated the security note’s text with minor changes. The two remaining updated security notes address medium-severity vulnerabilities in NetWeaver AS Java and in multiple Sybase products.
While SAP has not mentioned any of these vulnerabilities being exploited in attacks, customers are advised to apply the patches as soon as possible.
Please let me know if you need any further information or have any specific questions about the meeting notes.