SAP Security Patch Day 07/2023

Running like clockwork…

 “SAP Security Patch Day in July with 18 new Security Notes – two of them importable in our HCM system” – this is the crisp summary for our HCM system. In a closer look, the following notes are interesting:

  • 33502971: Here, a so-called OS Command Injection is cleaned up, which works via a kernel call with the command CALL ‘SYSTEM’. This allows attackers to issue operating system commands on the application server. As a consequence, both data integrity and system availability are completely at stake – hence the vulnerability is rightly assigned a CVSS of 9.1.
    Important: the source code belongs to the industry solution IS-OIL and is therefore not technically relevant for our HCM processes. But: the source code is nevertheless in the system – often for historical reasons. And only that is important for the attacker: it is executable! Therefore, it is imperative to patch.
  • 33514102: in this note, a function module is shut down (= source code commented out), which grants manipulative access to the SAP system log. And again interesting: the function module is in the industry solution for Defense Forces – so it has nothing to do with HCM – but it is still exploitable!
    But from the patch user’s point of view it means: just apply it, no further testing effort to be expected!
  • 32338993 and 33407354: These two notes address vulnerabilities in the SAP Web Dispatcher and the ICM module of the SAP NetWeaver Application Server ABAP, respectively, partly with critical CVSS of 8.6.
    This shows that even if the transaction SNOTE signals that the note is not to be imported, the texts of the high-priority notes should still be read. For example, the above notes may require an SAP kernel patch to be applied (not in our HCM system, since we are already “new” enough).

The description of our patch activities for July ends with the recommendation to “always think outside the box”!
Get through the heat well!


[1] 3350297 – [CVE-2023-36922] BS-Befehl-Injection-Schwachstelle in SAP ECC und SAP S/4HANA (IS-OIL) – SAP for Me

[2] 3351410 – [CVE-2023-36924] Protokoll-Injection-Schwachstelle in SAP ERP Defense Forces and Public Security – SAP for Me

[3] https://me.sap.com/notes/3233899

[4] 3340735 – [CVE-2023-35871] Speicherbeschädigungsschwachstelle in SAP Web Dispatcher – SAP for Me