Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerability Impacting NetWeaver, S/4HANA

SAP has released patches for a critical vulnerability impacting multiple enterprise applications, including NetWeaver and S/4HANA.

German business software maker SAP on Tuesday announced the release of 13 new and five updated security notes as part of its September 2023 Security Patch Day.

Five of the SAP security notes released this month are rated ‘hot news’, the company’s highest rating. Three of them, however, are updates for previously released security notes.

The most severe of the new hot news notes addresses a critical vulnerability in BusinessObjects (CVE-2023-40622, CVSS score of 9.9), allowing attackers to access information that could be used in other attacks, potentially leading to complete application compromise.

The issue, enterprise application security firm Onapsis explains, impacts the job folder of the Promotion Management component.

As a workaround, organizations should provide only required users with the necessary rights to access and perform promotions, and should deny administrators the view rights on the Promotion jobs folder.

The second new hot news security note SAP released this month addresses a missing authorization check issue in CommonCryptoLib. Tracked as CVE-2023-40309 (CVSS score of 9.8), the bug impacts multiple SAP products, including NetWeaver, S/4HANA, Web Dispatcher, Content Server, Host Agent, and Extended Application Services and Runtime (XSA).

“Missing or wrong authorization checks in SAP CommonCryptoLib can result in an escalation of privileges. The resulting impact depends on the application and on the level of acquired privileges. In the worst case, attackers can compromise the affected application completely,” Onapsis explains.

Advertisement. Scroll to continue reading.

This month, SAP has updated hot news security notes addressing vulnerabilities in the Chromium browser in Business Client (the update fixes 67 vulnerabilities), a code injection flaw in BusinessObjects, and an improper access control issue in NetWeaver (the note was previously deleted by accident).

On Tuesday, SAP also announced the release of two new high-priority security notes that address an insufficient file type validation flaw in BusinessObjects (CVE-2023-42472), and a memory corruption bug in CommonCryptoLib (CVE-2023-40308 – the patches for CVE-2023-40309 automatically patch this issue as well).

The remaining security notes address medium- and low-severity vulnerabilities in PowerDesignerClient, BusinessObjects Suite, S/4HANA, SAPUI5, Quotation Management Insurance, NetWeave, and S4CORE.

“With eighteen new and updated SAP Security Notes, including five HotNews Notes and two High Priority Notes, SAP’s September Patch Day seems to be a busy one. But since two HotNews Notes are only minor updates that do not require customer actions and not much effort is needed to implement SAP BusinessObjects and SAPCryptoLib notes, the patching effort is manageable,” Onapsis points out.

Reated: SAP Patches Critical Vulnerability in PowerDesigner Product

Reated: SAP Patches Critical Vulnerability in ECC and S/4HANA Products

Reated: SAP Patches High-Severity Vulnerabilities With June 2023 Security Updates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.