limkedin Skip to main content
Blog

SAP Patch Tuesday overview for February 2023

By 14 February 2023No Comments

A review, best practices and tips and tricks for this months’ SAP Security patches – Fixing SAP vulnerabilities.  

Patch Tuesday

A new month, a new SAP Security Patch Tuesday! The 2nd Tuesday in the month where SAP releases their patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally, or by external researchers such as Protect4S’ own researchers. This month’s SAP Security note 3287291 contains a fix for a vulnerability reported by Protect4S research. All trying to improve SAP’s product security and have SAP customers run their SAP systems more secure.  

As always, customers should assess the list of released SAP Security notes and apply them where applicable and conform their SAP Vulnerability Management process and procedures. This month, counting from the last Patch Tuesday, there are a total of 26 new and updated SAP Security notes. Just 1 of them has the highest HotNews rating. Some newly released SAP Security notes of attention (above CVSS 8) are:  

  • Customers using SAP Business Objects should address the note with number 3256787[CVE-2023-24530] Unrestricted Upload of File in SAP BusinessObjects Business Intelligence Platform (CMC)). This note has a CVSS score of 8,4/10 and could allow an authenticated admin user to upload malicious code that can be executed by the application over the network. Also pay attention to another SAP Business Objects High-risk note that was released: 3263135
  • A High-risk note has been released for the SAP ABAP stack with number 3285757 [CVE-2023-24523] Privilege Escalation vulnerability in SAP Host Agent (Start Service. This vulnerability has a CVSS score of 8,8/10 and is a vulnerability where an attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent Service, can submit a specially crafted webservice request with an operating system command which will be executed with administrator privileges. 

At the moment of writing there are no public exploits available to our knowledge for the above-mentioned notes. A total of 26 notes have been released this month: 21 new ones and 5 updates to older notes or additions to last month’s Patch Tuesday. A breakdown by priority can be found below: 

image - SAP Patch Tuesday overview for February 2023

For organisations using SAP software it is important to have a process and procedures in place that ensures that every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below (These are new and updated notes released after last months’ patch Tuesday): 

SAP Security note # Description CVSS v3 Score Priority 
2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client 10,0 HotNews 
3271091 [CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation 8,5 High 
3256787 [CVE-2023-24530] Unrestricted Upload of File in SAP BusinessObjects Business Intelligence Platform (CMC) 8,4 High 
3285757 [CVE-2023-24523] Privil. Esc vulnerability in SAP Host Agent (Start Service) 8,8 High 
3263135 [CVE-2023-0020] Information disclosure vulnerability in SAP BusinessObjects Business Intelligence platform 8,5 High 
3268172 [CVE-2022-41264] Code Injection vulnerability in SAP BASIS 8,8 High 
2788178 [CVE-2023-24525] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI 4,3 Medium 
2985905 [CVE-2023-24524] Missing Authorization check in SAP S/4 HANA Map Treasury Correspondence Format Data 6,5 Medium 
3275841 [CVE-2023-23851] Unrestricted File Upload in SAP Business Planning and Consolidation 5,4 Medium 
3293786 [CVE-2023-23858] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform 6,1 Medium 
3281724 [CVE-2023-0019] Missing Authorization check in SAP GRC (Process Control) 6,5 Medium 
3290901 [CVE-2023-24528] Missing Authorization Check in SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) 6,5 Medium 
3282663 [CVE-2023-24529] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages application) 6,1 Medium 
3274585 [CVE-2023-25614] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework) 6,1 Medium 
3269118 [CVE-2023-24522] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework) 6,1 Medium 
3269151 [CVE-2023-24521] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework) 6,1 Medium 
3271227 [CVE-2023-23853] URL Redirection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform 6,1 Medium 
3268959 [Multiple CVEs] Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform 6,1 Medium 
3266751 [CVE-2023-23852] Cross-Site Scripting (XSS) vulnerability in SAP Solution Manager 7.2 6,1 Medium 
3265846 [CVE-2023-0024] Cross Site Scripting in SAP Solution Manager (BSP Application) 6,5 Medium 
3267442 [CVE-2023-0025] Cross Site Scripting in SAP Solution Manager (BSP Application) 6,5 Medium 
3270509 [CVE-2023-23855] URL Redirection vulnerability in SAP Solution Manager 6,5 Medium 
3263863 [CVE-2023-23856] Cross-Site Scripting (XSS) vulnerability in Web Intelligence Interface 4,3 Medium 
3262544 [CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service) 6,1 Medium 
3283283 [CVE-2023-0013] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform 6,1 Medium 
3287291 [CVE-2023-23854] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform 3,8 Low 

For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn and our YouTube channel!