SAP Releases March 2023 Security Updates

Scheduled security updates address vulnerabilities affecting multiple products

Threat ID:: CC-4284
Threat Severity:: Medium
Published:: 15 March 2023 12:33 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Scheduled security updates address vulnerabilities affecting multiple products

Affected platforms

The following platforms are known to be affected:

SAP NetWeaver Application Server

SAP BusinessObjects Business Intelligence Platform

The following platforms are also known to be affected:

SAP Solution Manager and ABAP managed systems (ST-PI)
SAP Host Agent
SAP Enterprise Portal
SAP ABAP Platform

Threat details

Introduction

SAP has released security updates to address multiple vulnerabilities, which are covered in nineteen new security notes. Five of these vulnerabilities are rated critical and involve issues such as code injection, directory traversal attack, and improper access control. An attacker could exploit some of these vulnerabilities to take control of an affected system.

Remediation advice

Affected organisations are encouraged to review the SAP Security Notes for March 2023 and apply the necessary updates.

Definitive source of threat updates

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

CVE Vulnerabilities

Status Published

CVE-2023-25616

In some scenario, SAP Business Objects Business Intelligence Platform (CMC) - versions 420, 430, Program Object execution can lead to code injection vulnerability which could allow an attacker to gain access to resources that are allowed by extra privileges. Successful attack could highly impact the confidentiality, Integrity, and Availability of the system.

Status Published

CVE-2023-23857

Due to missing authentication check, SAP NetWeaver AS for Java - version 7.50, allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services across systems. On a successful exploitation, the attacker can read and modify some sensitive information but can also be used to lock up any element or operation of the system making that it unresponsive or unavailable.

Status Published

CVE-2023-27269

SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files. In this attack, no data can be read but potentially critical OS files can be overwritten making the system unavailable.

Status Published

CVE-2023-27500

An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files. In this attack, no data can be read but potentially critical OS files can be over-written making the system unavailable.

Status Published

CVE-2023-25617

SAP Business Object (Adaptive Job Server) - versions 420, 430, allows remote execution of arbitrary commands on Unix, when program objects execution is enabled, to authenticated users with scheduling rights, using the BI Launchpad, Central Management Console or a custom application based on the public java SDK. Programs could impact the confidentiality, integrity and availability of the system.

Last edited: 15 March 2023 12:33 pm