SAP Patches Critical Vulnerabilities in December Update

On the 12th of December 2023, SAP Security Patch Day published 15 new Security Notes alongside updates to 2 previously released notes, fortifying SAP’s commitment to safeguarding its vast ecosystem against cyber threats.

The release included a range of notes, addressing vulnerabilities of varying severity, from critical to moderate. Notably, among the new releases, several were classified as ‘Hot News’, indicating their high priority and potential impact.

One of the most critical updates addressed vulnerabilities such as the privilege escalation in SAP Business Technology Platform (BTP) Security Services Integration Libraries. This fix, covering multiple CVEs (CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, CVE-2023-50424), is crucial in preventing unauthorized access and maintaining the sanctity of sensitive corporate data.

Another significant update rectified an OS command injection vulnerability (CVE-2023-36922) in SAP ECC and SAP S/4HANA (IS-OIL), with a CVSS score of 9.1, highlighting the serious nature of the vulnerability. Such vulnerabilities, if left unpatched, could allow attackers to execute arbitrary commands, posing a considerable risk to business operations and data integrity.

The Security Notes also covered a range of other issues, including improper access control, cross-site scripting vulnerabilities, information disclosure, and SQL injection vulnerabilities. These patches are critical in the ever-escalating battle against cyber threats, ensuring that SAP’s systems remain secure against evolving attack vectors.