SAP Security Patch Day 01/2023

“January 2023 Patch Day”

For many people who started their work year after the end of the school vacations, 2023 started right with the Patch Day.

While only 12 notes have been released since December 2022, there are 7 that have been released with a high priority (CVSS rating higher than 9).

Most of the fixes are not relevant for the setup we have in place: in this blog we want to report about our patching activities on the HCM system, which is a “classic” SAP NetWeaver AS for ABAP system. Accordingly, notes concerning SAP BusinessObjects or the Java stack are not considered here. However, the evaluation of the notes must always be made specifically for the concrete landscape and may lead to a different decision for your systems.

First to the simple part: Note 32832831 corrects a cross-site scripting. Corrections of this type can usually be adopted without additional testing effort. After reviewing the source code changes, the note was applied directly.

Corrections to central RFC mechanism

The first Patch Day of the year also includes the critical-rated note 30894132 (CVSS 9.0), which is – let’s say it a bit flatly – a “big bang”:

  • All NetWeaver AS for ABAP versions from 7.00 – 7.89 as well as various versions of the SAP kernel are affected. You could also say: (almost) all ABAP stacks are affected!
  • Addressed is a “capture-replay” vulnerability in the Trusted-RFC connection area: “This can be exploited by malicious users to gain access to the system.” [Capture-Replay: resending of previously recorded data.]
  • Trusted-RFC connections represent a key API in the NetWeaver architecture and are used across the board. It can therefore be assumed that this correction is really required for a very large number of SAP systems.
  • SAP strongly recommends that you back up your system before installing the note.
  • The import is not possible through the Note Assistant (SNOTE), because the correction consists of several steps and first requires a kernel update and an ABAP patch via transaction SAINT. Finally, a migration of the connection data must also be performed.

The note itself is somewhat confusing due to numerous presupposed or linked notes. Therefore, at this point also the reference to the classification of Frank Buchholz from SAP in his blog3.

Thus, it is also clear that you cannot implement note 3089413 “just on the side”. For the systems in our landscape, we have scheduled the backup and the necessary kernel patch for this weekend.

We will report about the further steps in an update here.

Until then, we wish “Happy Patching!”

[1] 3283283 – [CVE-2023-0013] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform – SAP ONE Support Launchpad

[2] 3089413 – [CVE-2023-0014] Schwachstelle bezüglich der Capture-Replay in SAP NetWeaver AS für ABAP und ABAP-Plattform – SAP ONE Support Launchpad

[3] (1) Note 3089413 – Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform – Security and Identity Management – Support Wiki