SAP’s security patch day for March 2023 has seen the release of 19 new OSS SAP security notes. 5 notes have been classified as critical, 4 as high and 10 as medium based on CVSS v3.0 Rating.
7 notes have been released for SAP NetWeaver AS ABAP, 5 notes for SAP NetWeaver AS JAVA and 3 notes for SAP BusinessObjects. Single notes have been released for SAP Authenticator, SAP S/4HANA, SAP Content Server and SAP Host Agent.
Vulnerabilities: March 2023 Highlights
[CVE-2023-27500] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (SAP Note 3302162)
An attacker with non-administrative authorisations can exploit a flaw in a programme to over-write system files. No data can be read but the ability to overwrite system files could make the system unavailable.
[CVE-2023-25617] OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server) (SAP Note 3283438)
Due to incorrectly escaped parameters in Unix, SAP Business Objects Business Intelligence Platform (Adaptive Job Server) allows an authenticated attacker to execute arbitrary commands over the network.
[CVE-2023-23857] Improper Access Control in SAP NetWeaver AS for Java (SAP Note 3252433)
Due to missing authentication check, SAP NetWeaver Application Server for Java allows an unauthenticated attacker to attach to an open interface. They can then make use of an open naming and directory API to access services. This can be used to perform unauthorized operations affecting users and services across systems.
[CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) (SAP Note 3245526)
In some scenarios, SAP Business Objects Business Intelligence Platform (CMC) Program Object execution can lead to code injection vulnerability which could allow an attacker to gain access to resources that are allowed by extra privileges.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
