limkedin Skip to main content
Blog

SAP Patch Tuesday overview for March 2023 

By 14 March 2023No Comments

A review, best practices and tips and tricks for this months’ SAP Security patches – Fixing SAP vulnerabilities. 

Patch Tuesday

A new month, a new SAP Security Patch Tuesday! The 2nd Tuesday in the month where SAP releases their patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally, or by external researchers such as Protect4S’ own researchers. All trying to improve SAP’s product security and have SAP customers run their SAP systems more secure.  

As always, customers should assess the list of released SAP Security notes and apply them where applicable and conform their SAP Vulnerability Management process and procedures. This month, counting from the last Patch Tuesday, there are a total of 21 new and updated SAP Security notes. No less than 6 have the highest HotNews rating (CVSS 9 or higher) and 4 are rated with high priority. See a summary below for the highest rated notes.  

  • SAP Business Objects: 2 HotNews notes have been newly released. Note 3245526 describes a code injection vulnerability and note 3283438 a command execution vulnerability, both having a high potential impact on confidentiality, integrity and availability of the system. This is represented by the high CVSS scores of 9,9 and 9,0 respectively. Note that for both issues, a workaround may be applied, which can provide a quick (temporarily) resolution. 
  • SAP NetWeaver AS Java: 2 HotNews notes have been released. Note 3252433 describes a missing authentication check that can lead to access to sensitive information and potential unavailability of the system. This is represented by the high CVSS score of 9,9. Take note of the FAQ note 3299806 for additional information. Important points of resolution are: 
  • There is no workaround for this issue, patching of the system is required. 
  • All AS Java 7.5 versions are impacted, there is no fix for SP versions below SP19. 
  • Downtime is required because the SERVERCORE component is affected. 

Note 3273480 with CVSS 9,9 was released before in 2022 and has been updated several times. The current update describes an update on the possible cause and side effects when the note is implemented. Customers that have already implemented the note only need to review this, the actual vulnerability and resolution information is not updated. 

  • SAP ABAP platform: 2 HotNews notes have been newly released, both with a CVSS score of 9,6. Note 3294595 and 3302162 both describe a so-called ‘Directory Traversal vulnerability’ that can lead to potential overwriting of system files and render the system unavailable as a result. For both notes a workaround is available to quickly resolve the issue. For note 3302162, this is described in note 3311360

At the moment of writing, there are no public exploits available to our knowledge for the above-mentioned notes. A total of 21 notes have been released this month: 19 new ones and 2 updates to older notes or additions to last month’s Patch Tuesday. A breakdown by priority can be found below: 

image - SAP Patch Tuesday overview for March 2023 

For organisations using SAP software it is important to have a process and procedures in place that ensures that every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below (These are new and updated notes released after last months’ patch Tuesday): 

SAP Security note #  Description  CVSS v3 Score  Priority 
3245526  [CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC)  9,9  HotNews 
3252433  [CVE-2023-23857] Improper Access Control in SAP NetWeaver AS for Java  9,9  HotNews 
3273480  [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search)  9,9  HotNews 
3294595  [CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform  9,6  HotNews 
3302162  [CVE-2023-27500] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform  9,6  HotNews 
3283438  [CVE-2023-25617] OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server)  HotNews 
3296476  [CVE-2023-27893] Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems (ST-PI)  8,8  High 
3294954  [CVE-2023-27501] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform  8,7  High 
3296346  [CVE-2023-26459] Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform  7,4  High 
3275727  [CVE-2023-27498] Memory Corruption vulnerability in SAPOSCOL  7,2  High 
3289844  [CVE-2023-25615] SQL Injection vulnerability in SAP ABAP Platform  6,8  Medium 
3284550  [CVE-2023-26461] XML External Entity (XXE) vulnerability in SAP NetWeaver (SAP Enterprise Portal)  6,8  Medium 
3296328  [CVE-2023-27270] Denial of Service (DoS) in SAP NetWeaver AS for ABAP and ABAP Platform  6,5  Medium 
3287120  [Multiple CVEs] Multiple vulnerabilities in the SAP BusinessObjects Business Intelligence platform  6,5  Medium 
3302710  [CVE-2023-27895] Information Disclosure vulnerability in SAP Authenticator for Android  6,1  Medium 
3281484  [CVE-2023-26457] Cross-Site Scripting (XSS) vulnerability in SAP Content Server  6,1  Medium 
3274920  [CVE-2023-0021] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver  6,1  Medium 
3274585  [CVE-2023-25614] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework)  6,1  Medium 
3288480  [CVE-2023-27268] Improper Access Control in SAP NetWeaver AS Java (Object Analyzing Service)  5,3  Medium 
3288096  [CVE-2023-26460] Improper Access Control in SAP NetWeaver AS Java (Cache Management Service)  5,3  Medium 
3288394  [CVE-2023-24526] Improper Access Control in SAP NetWeaver AS Java (Classload Service)  5,3  Medium 

For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn and our YouTube channel!