A review, best practices and tips and tricks for this months’ SAP Security patches – Fixing SAP vulnerabilities.
A new year, a new SAP Security Patch Tuesday! The 2nd Tuesday in the month where SAP releases their patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally, or by external researchers such as Protect4S’ own researchers. All trying to improve SAP’s product security and have SAP customers run their SAP systems more secure.
As always, customers should assess the list of released SAP Security notes and apply them where applicable and conform their SAP Vulnerability Management process and procedures. This month, counting from the last Patch Tuesday, there is a limited list of only 12 new and updated SAP Security notes. 7 of them have the highest HotNews rating. The SAP Security notes of attention are:
- Customers using SAP Business Objects should address the new HotNews note with number 3262810 – [CVE-2023-0022] Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP). This note has a CVSS score of 9,9/10 and could highly compromise the Confidentiality, Integrity, and Availability of the system by injection of Operating System commands. Also pay attention to another SAP Business Objects HotNews note that was updated: 3243924.
- A HotNews note has been released for the SAP Java stack with number 3268093 – [CVE-2023-0017] Improper access control in SAP NetWeaver AS for Java. This vulnerability has a CVSS score of 9,4/10 and is a vulnerability that can be exploited without authentication, leading to full read and change access to user data and Denial of Service to services in the system.
- For ABAP systems a HotNews note is released to address a rather rare replay attack possibility; note 3089413 – [CVE-2023-0014] Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform. A first analysis by our research team shows that this vulnerability is not easy to exploit because the prerequisites for a successful attack require two SAP systems with the same SAP System ID in a landscape and options to capture network traffic or likewise privileges in an SAP system. Patching this vulnerability includes code corrections in the application and a kernel update. Since this is more complex note, An FAQ is available in SAP Note 3281854.
- Customers using SAP BPC for Microsoft should evaluate if note 3275391 – [CVE-2023-0016] SQL Injection vulnerability in SAP Business Planning and Consolidation MS, applies to them. This is the BPC Microsoft solution that is not running on SAP Netweaver, but as a standalone server component.
- The 2 HotNews notes with numbers 3267780 and 3273480 released last month are updated. Make sure they are addressed if you use SAP Process Integration.
At the moment of writing there are no public exploits available to our knowledge for the above-mentioned notes. A total of 12 notes have been released this month: 9 new ones and 3 updates to older notes or additions to last month’s Patch Tuesday. A breakdown by priority can be found below:
For organisations using SAP software it is important to have a process and procedures in place that ensures that every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below (These are new and updated notes released after last months’ patch Tuesday):
|SAP Security note #||Description||CVSS v3 Score||Priority|
|3262810||[CVE-2023-0022] Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP)||9,9||HotNews|
|3150704||[CVE-2023-0023] Information Disclosure in SAP Bank Account Management (Manage Banks)||4,5||Medium|
|3283283||[CVE-2023-0013] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform||6,1||Medium|
|3268093||[CVE-2023-0017] Improper access control in SAP NetWeaver AS for Java||9,4||HotNews|
|3266006||[CVE-2023-0018] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console)||5,4||Medium|
|3089413||[CVE-2023-0014] Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform||9||HotNews|
|3275391||[CVE-2023-0016] SQL Injection vulnerability in SAP Business Planning and Consolidation MS||9,9||HotNews|
|3251447||[CVE-2023-0015] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (Web Intelligence)||4,6||Medium|
|3276120||[CVE-2023-0012] Local Privilege Escalation in SAP Host Agent (Windows)||6,4||Medium|
|3243924||[CVE-2022-41203] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad)||9,9||HotNews|
|3267780||[CVE-2022-41271] Improper access control in SAP NetWeaver AS Java (Messaging System)||9,4||HotNews|
|3273480||[CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search)||9,9||HotNews|