SAP’s security patch day for January 2023 has seen the release of 8 new and 3 updated OSS SAP security notes. 4 notes have been classified as medium and 7 as critical based on CVSS v3.0 Rating.
4 notes have been released for SAP BusinessObjects. 3 notes have been released for SAP NetWeaver AS JAVA. 2 notes have been released for SAP NetWeaver AS ABAP. Single notes have been released for SAP BPC and SAP Host Agent.
Vulnerabilities: January 2023 Highlights
[CVE-2023-0022] Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP) (SAP Note 3262810)
The Business Intelligence edition of SAP BusinessObjects allows an attacker to inject malicious code into the system that can be executed remotely. This would allow an attacker to completely compromise the system leading to a high impact on confidentiality, integrity and availability of the application.
[CVE-2023-0016] SQL Injection vulnerability in SAP Business Planning and Consolidation MS (SAP Note 3275391)
SAP Business Planning and Consolidation MS allows an unauthorized attacker to execute database queries on the backend system. This allows them to access, modify and/or delete data.
[CVE-2023-0017] Improper access control in SAP NetWeaver AS for Java (SAP Note 3268093)
An authenticated attacker can attach to an open interface and make use of an open API to access services that can expose users and data on the system. This would allow the attacker to have full read access for user data, to make modifications to user data and to make particular services within the system unavailable.
[CVE-2023-0014] Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (SAP Note 3089413)
SAP NetWeaver ABAP Server and ABAP Platform creates information about system identity in an ambiguous format. This may be exploited by malicious users to obtain illegitimate access to the system.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
