CVE-2023-40308: 
SAP HANA vulnerability analysis and mitigation

SAP CommonCryptoLib vulnerability (CVE-2023-40308) was disclosed on September 11, 2023. This vulnerability allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library that leads to component crash and unavailability. The vulnerability affects multiple SAP products including SAP CommonCryptoLib 8.0.0, NetWeaver AS ABAP, NetWeaver AS Java, ABAP Platform of S/4HANA on-premise, Web Dispatcher, Content Server, HANA Database, Host Agent, and Extended Application Services and Runtime (SecurityWeek, NVD).

The vulnerability is classified as a memory corruption issue with a CVSS v3.1 Base Score of 7.5 (High). The attack vector is Network (AV:N), with Low attack complexity (AC:L), requiring No privileges (PR:N) and No user interaction (UI:N). The scope is Unchanged (S:U), with No impact on confidentiality (C:N) or integrity (I:N), but High impact on availability (A:H). The vulnerability is identified as CWE-787 (Out-of-bounds Write) (NVD).

When exploited, the vulnerability results in a denial of service condition by causing the target component to crash, making it unavailable. Importantly, there is no ability for attackers to view or modify any information through this vulnerability (NVD, CyberSecurityNews).

SAP has released patches to address this vulnerability as part of their September 2023 Security Patch Day. The patches for CVE-2023-40309 automatically address this issue as well. Organizations are advised to apply the security updates to affected systems (SecurityWeek).