In December 2023, SAP has announced a major patchday that includes a number of critical security updates for various products. This month is characterized by four hot news, four high, seven medium and two low security updates.

Hot News Updates

SAP Business Client (Versions 6.5, 7.0, 7.70): An important update has been provided for the SAP Business Client that addresses security vulnerabilities in the Google Chromium browser control that posed critical security risks.

SAP Business Technology Platform (BTP) Security Services Integration Libraries: Another significant update at the SAP Patchday in December 2023 concerns the SAP BTP Security Services Integration Libraries. Several CVEs (CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, CVE-2023-50424) were fixed that allowed privilege escalation. Affected products are sap/xssec, cloud-security-services-integration-library, sap-xssec and github.com/sap/cloud-security-client-go.

SAP ECC and SAP S/4HANA (IS-OIL): A critical update to fix an OS command injection vulnerability (CVE-2023-36922) in SAP ECC and SAP S/4HANA (IS-OIL) has been released. This update is relevant for a wide range of versions, including 600, 602, 603, 604, 605, 606, 617, 618, 800, 802, 803, 804, 805, 806 and 807.

High Priority Updates

SAP BusinessObjects Business Intelligence Platform (versions 420, 430): A patch has been released here to fix a cross-site scripting (XSS) vulnerability known as CVE-2023-42478. XSS vulnerabilities allow attackers to inject malicious code into web pages viewed by other users. This patch prevents such attacks and increases the security of the platform.

SAP GUI for Windows and Java: An update has been provided for various versions of SAP GUI for Windows and Java to address an information disclosure vulnerability (CVE-2023-49580). This vulnerability could allow attackers to spy on or intercept sensitive information. The update will better protect the confidentiality of information processed via SAP GUI.

Medium Priority Updates

This category includes eight updates that address a wide range of vulnerabilities in various SAP products, including SAP Solution Manager, SAP Biller Direct and SAP HCM (SMART PAYE solution). The vulnerabilities range from Command Injection to Cross-Site Scripting and SQL Injection.

Low priority security gaps

Two updates in this category include the elimination of security vulnerabilities in the SAP Cloud Connector and SAP Master Data Governance.

The SAP Patchday in December 2023 underlines the importance of regular security updates in the ever-evolving digital landscape. SAP users are urged to implement these updates immediately to protect their systems from potential threats. It is imperative that organizations follow the specific details and instructions for each patch to ensure complete and effective security coverage.

We will be happy to help you install the updates. Simply contact us.