SAP’s security patch day for April 2023 has seen the release of 23 new OSS SAP security notes. 4 notes have been classified as critical, 1 as high, 15 as medium and 3 as low based on CVSS v3.0 Rating.
4 notes have been released for SAP NetWeaver AS ABAP. 3 notes for SAP NetWeaver AS JAVA and SAP Application Interface Framework. 2 notes for SAP Kernel, SAP Solution Manager and SAP CRM. Single notes have been released for SAP Commerce, SAP Landscape Management, SAP Business Warehouse, SAP HCM, SAP BusinessObjects, SAP Travel Management and SAP Web Dispatcher.
Vulnerabilities: April 2023 Highlights
[CVE-2023-27497] Multiple vulnerabilities in SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector) (SAP Note 3305369)
Due to missing authentication in the EventLogServiceCollector and OSCommand Bridge components of the SAP Diagnostics Agent an attacker is able to execute malicious scripts on all connected Diagnostics Agents running on Windows. This can compromise the confidentiality, integrity, and availability of the system.
[CVE-2023-28765] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management) (SAP Note 3298961)
An attacker with basic privileges can get access to icmbiar file and further decrypt the file. After this attacker can gain access to BI user’s passwords and depending on the privileges of the BI user, the attacker can perform operations that can completely compromise the application.
[CVE-2023-29186] Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON) (SAP Note 3305907)
An attacker can exploit a Directory Traversal vulnerability in a report to upload and overwrite files on the SAP server. Data cannot be read but if a remote attacker has sufficient (administrative) privileges then potentially critical OS files can be overwritten making the system unavailable.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
