SAP Patch Day: New HotNews Notes in March 2023


SAP Patch Day is an important date for SAP customers and users, as the company releases its latest security patches and updates on this day.

On SAP Patch Day, SAP releases critical security notes, which are flagged with High Priority Notes to protect users against potential threats and vulnerabilities in their SAP NetWeaver systems. This includes the release of six new HotNews patches that address critical issues, such as the Improper Access Control vulnerability of SAP NetWeaver AS Java and Remote Code Execution vulnerabilities in several remote-enabled function modules.

Onapsis Research Labs (ORL) collaborates with SAP to address these critical issues and provide SAP customers with the latest security fixes. Today’s business landscape requires SAP customers to continuously reassess their SAP security strategies and take preventive measures to guard against potential threats. It is, therefore, essential for organizations to stay informed about SAP’s latest security notes and updates.

An Overview of March 2023 SAP Patch Day

The latest SAP Patch Day was on 14th March 2023, which saw the release of four High Priority Notes from SAP. These notes patched seven vulnerabilities in total, with one tagged with a CVSS score of 9.9. While three notes were related to SAP NetWeaver AS ABAP, one targeted the SAPOSCOL executable with a CVSS score of 7.2. The patch released by SAP also withdrew the implementation of an affected ABAP class that was no longer used by them.

The most severe vulnerability patched by SAP was an Improper Access Control vulnerability in SAP NetWeaver AS Java’s Locking Service (tagged with a CVSS score of 9.9). The vulnerability allows unauthenticated attackers to attach to an open interface and make use of an open naming and directory API to access services and perform unauthorized operations without requiring any authentication credentials or authorization permissions. Such malicious activities can affect both users and services across multiple systems if left unaddressed.

SAP’s Remote Code Execution (RCE) patch (tagged with a CVSS score of 8.8) addressed two vulnerabilities that were present in several remote-enabled function modules employed by Active Global Support service providers for evaluating custom code, thus allowing dynamic calls of arbitrary local functions whose interfaces fulfilled specific conditions determined by the attackers who required only S_RFC authorization either on one function module or on its entire group – ST-PI Add-Ons – affecting SolutionManager systems’ connected ABAP managed systems as well.

Additionally, SAP Security Note #3294954 which had a CVSS score of 8.7 addressed Directory Traversal vulnerabilities in a remote-enabled function module within SAP NetWeaver AS ABAP that allowed attackers to delete arbitrary files at the OS level making the system unavailable if exploited successfully without proper protection measures being taken proactively beforehand through timely patching and updating processes followed faithfully within organizations running on SAP applications, infrastructure setup, and configurations. 

Meanwhile, Server Side Request Forgery vulnerability alongside Denial of Service vulnerability patched via Security Note #3296346 had respective CVSS scores of 7.4 and 6.5 respectively due to improper input controls allowing non-administrative user authenticated attackers craft requests triggering application server requests sent out towards arbitrary URLs leading to low impact on confidentiality integrity and availability when exploited successfully. 

Overall, it is clear from these incidents that taking proactive steps toward addressing threats before they become exploited is essential for maintaining secure operations especially when running instances powered by complex enterprise software such as SAP’s applications and platforms. As such, it is recommended that organizations stay informed real-time about upcoming patch days like this one and ensure timely application of all the latest security fixes available while keeping their IT setups updated regularly so as to remain prepared for potential threats at all times.

According to Thomas Fritsch, SAP Security Researcher at Onapsis, the number of new SAP Security Notes on SAP’s March Patch Day is comparable with the number last month. He shared:

“The patched vulnerabilities have shown once more that input validation and proper authentication and authorization checks are key to protecting applications. Another lesson learned of this Patch Day: Cleanup unused code as it often contains unrecognized security issues.”

Share this post

submit to reddit
scroll to top