Skip to main content

SAP Releases May 2023 Security Updates

Scheduled security updates address vulnerabilities affecting multiple products

Threat ID:
CC-4318
Threat Severity:
Information only
Published:
10 May 2023 4:36 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Scheduled security updates address vulnerabilities affecting multiple products

Affected platforms

The following platforms are known to be affected:

SAP BusinessObjects Business Intelligence Platform

SAP NetWeaver Application Server

The following platforms are also known to be affected:

  • SAP 3D Visual Enterprise License Manager
  • SAP IBP add-in for Microsoft Excel
  • SAP PowerDesigner (Proxy)
  • SAP IBP EXCEL ADD-IN
  • SAP Commerce
  • SAP GUI for Windows
  • SAP UI
  • SAP CRM
  • SAP Business Planning and Consolidation
  • SAP Application Interface Framework (ODATA service)
  • SAP Vendor Master Hierarchy

Threat details

Introduction

SAP has released security updates to address multiple vulnerabilities, which are covered in eighteen new security notes and six updates to previous notes. Two of these vulnerabilities are rated as critical and nine vulnerabilities are rated as high. An attacker could exploit some of these vulnerabilities to perform privilege escalation, cross site scripting (XSS), denial-of-service, or other malicious activity.

Remediation advice

Affected organisations are encouraged to review the SAP Security Notes for May 2023 and apply the necessary updates.

CVE Vulnerabilities

Status Published

CVE-2021-44151

An issue was discovered in Reprise RLM 14.2. As the session cookies are small, an attacker can hijack any existing sessions by bruteforcing the 4 hex-character session cookie on the Windows version (the Linux version appears to have 8 characters). An attacker can obtain the static part of the cookie (cookie name) by first making a request to any page on the application (e.g., /goforms/menu) and saving the name of the cookie sent with the response. The attacker can then use the name of the cookie and try to request that same page, setting a random value for the cookie. If any user has an active session, the page should return with the authorized content, when a valid cookie value is hit.
Status Published

CVE-2021-44152

An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an attacker to change the password of any known user, thereby preventing valid users from accessing the system and granting the attacker full access to that user's account.
Status Published

CVE-2021-44153

An issue was discovered in Reprise RLM 14.2. When editing the license file, it is possible for an admin user to enable an option to run arbitrary executables, as demonstrated by an ISV demo "C:\Windows\System32\calc.exe" entry. An attacker can exploit this to run a malicious binary on startup, or when triggering the Reread/Restart Servers function on the webserver. (Exploitation does not require CVE-2018-15573, because the license file is meant to be changed in the application.)
Status Published

CVE-2021-44154

An issue was discovered in Reprise RLM 14.2. By using an admin account, an attacker can write a payload to /goform/edit_opt, which will then be triggered when running the diagnostics (via /goform/diagnostics_doit), resulting in a buffer overflow.
Status Published

CVE-2021-44155

An issue was discovered in /goform/login_process in Reprise RLM 14.2. When an attacker attempts to login, the response if a username is valid includes Login Failed, but does not include this string if the username is invalid. This allows an attacker to enumerate valid users.
Status Published

CVE-2023-28762

SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker with administrator privileges to get the login token of any logged-in BI user over the network without any user interaction. The attacker can impersonate any user on the platform resulting into accessing and modifying data. The attacker can also make the system partially or entirely unavailable.

Last edited: 10 May 2023 4:36 pm