December 12, 2023 at 02:06PM
SAP announced 15 new and two updated security notes in its December 2023 Security Patch Day. This includes ‘hot news’ notes addressing vulnerabilities in SAP Business Technology Platform, Business Client, and OS command injection flaws in SAP ECC and SAP S/4HANA. Various other high and medium-priority issues were also resolved. Customers are urged to review and apply the updates promptly.
Based on the meeting notes provided, here are the key takeaways:
– SAP released a total of 15 new and 2 updated security notes as part of its December 2023 Security Patch Day.
– Four of the security notes have a severity rating of “hot news,” with one addressing multiple vulnerabilities in SAP Business Technology Platform (BTP) with a critical-severity elevation of privilege flaw identified as CVE-2023-49583.
– SAP urges all customers to review the security note, ensure that their systems meet required prerequisites for the update, and apply the provided solution.
– An additional three updated hot news notes include patches for the Chromium-based browser in SAP Business Client, as well as updates for a security note addressing an OS command injection flaw in SAP ECC and SAP S/4HANA (IS-OIL).
– SAP also released four high-priority security notes, resolving issues such as improper access control bug in Commerce Cloud, cross-site scripting (XSS) flaw in BusinessObjects, information disclosure issue in SAP GUI for Windows and SAP GUI for Java, and a missing authorization check bug in EMARSYS SDK Android.
– In addition, SAP released seven medium-priority and two low-priority security notes.
These takeaways provide a summary of the key security updates and vulnerabilities addressed by SAP in its December 2023 Security Patch Day.