SAP Security Patch Day – April 2023
Chapters
Share Article
On April 11th, SAP released its latest Security Patch Day following the Easter break. This day is crucial for businesses that rely on SAP software and are concerned about cybersecurity. In this article, we will take a closer look at four HotNews patches that have been released or updated. HotNews patches are the most critical patches that SAP releases. They address vulnerabilities that could potentially lead to a high-risk security breach. Therefore, it is essential that businesses prioritize and apply these patches promptly to minimize the risk of an attack.
SAP Security Patches April 2023
On April 11th, 2023, SAP released its latest Security Patch Day, which included 21 new security corrections and two updates. Among the fixes were patches for a directory traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform.
It is worth noting that one Security Note has been marked with the category “Consulting”. This means that it does not directly address a security vulnerability but rather provides guidance and recommendations for businesses to improve their overall security posture. Additionally, SAP Business Object Business Intelligence Platform was once again a focus of the Security Patch Day, with several patches released to address various vulnerabilities. Lets look into the highlights.
One of the critical patches released during the April 11th, 2023 SAP Security Patch Day was 3294595, which addressed a Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform. This patch had a HotNews priority rating by SAP, indicating its high severity. The vulnerability, identified by the CVE-2023-27269 identifier, had a CVSS score of 9.6, which was carried over from the initial release of the patch in March. However, the April update contained a reworked solution description that provided a workaround for those who were unable to implement the suggested support package immediately.
Another troublesome patch released during the April 11th, 2023 SAP Security Patch Day is SNote 3305369, which addresses multiple vulnerabilities in SAP Diagnostics Agent. This patch is crucial for businesses using the SAP Solution Manager system landscape, as the Diagnostics Agent is a central component.
The patch fixes multiple vulnerabilities that could lead to Remote Code Execution (RCE) through the OSCommand Bridge and EventLogServiceCollector. Our experts strongly recommend that businesses prioritize this patch, as the LogService and OSCommand Bridge vulnerabilities could be exploited by attackers to gain unauthorized access to systems.
SAP has released another security fix, patch 3298961, for SAP BusinessObjects Business Intelligence Platform. This patch addresses the CVE-2023-28765 vulnerability, which involves information disclosure in the Promotion Management feature. Customers affected by this vulnerability should update the patch level to resolve the issue.
Additionally, there is a vulnerability related to the IP filter in ABAP Platform and SAP Web Dispatcher. Due to erroneous IP netmask handling, this vulnerability could enable access to backend applications from unwanted sources. While successful exploitation of this vulnerability could cause limited impact on the confidentiality of the application, it still requires consulting.
For further information about this vulnerability, customers can refer to patch 3315312, which addresses the CVE-2023-29108 IP filter vulnerability in ABAP Platform and SAP Web Dispatcher. To learn more about securing the SAP Web Dispatcher and ICM, please refer to the following article: SECURING YOUR SAP INTERNET COMMUNICATION MANAGER (ICM).
Summary by Severity
The April release contains a total of 21 patches for the following severities:
Severity | Number |
---|---|
Hot News
|
4 |
High
|
1 |
Medium
|
13 |
Low
|
3 |
Note | Description | Severity | CVSS |
---|---|---|---|
2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client Priority: HotNews Released on: 10.04.2018 Components: BC-FES-BUS-DSK Category: Program error |
Hot News | 10,0 |
3269352 | [CVE-2023-29189] HTTP Verb Tampering vulnerability in SAP CRM (WebClient UI) Priority: Correction with medium priority Released on: 11.04.2023 Components: CA-WUI-UI Category: Program error |
Medium | 5,4 |
3301457 | [CVE-2023-1903] Missing Authorization check in SAP HCM Fiori App My Forms (Fiori 2.0) Priority: Correction with medium priority Released on: 11.04.2023 Components: PA-FIO-FO Category: Program error |
Medium | 4,3 |
3275458 | [CVE-2023-27499] Cross-Site Scripting (XSS) vulnerability in SAP GUI for HTML Priority: Correction with medium priority Released on: 11.04.2023 Components: BC-FES-WGU Category: Program error |
Medium | 6,1 |
3305907 | [CVE-2023-29186] Directory Traversal vulnerability in SAP NetWeaver ( BI CONT ADD ON) Priority: Correction with high priority Released on: 11.04.2023 Components: BW-BCT-GEN Category: Program error |
High | 8,7 |
3312733 | [CVE-2023-26458] Information Disclosure vulnerability in SAP Landscape Management Priority: Correction with medium priority Released on: 11.04.2023 Components: BC-VCM-LVM Category: Program error |
Medium | 6,8 |
3311624 | [CVE-2023-29187] DLL Hijacking vulnerability in SapSetup (Software Installation Program) Priority: Correction with medium priority Released on: 11.04.2023 Components: BC-FES-INS Category: Program error |
Medium | 6,7 |
3117978 | [CVE-2023-29111] Information Disclosure vulnerability in SAP Application Interface Framework (ODATA
service) Priority: Correction with low priority Released on: 11.04.2023 Components: BC-SRV-AIF Category: Program error |
Low | 3,1 |
3113349 | [CVE-2023-29110] Code Injection vulnerability in SAP Application Interface Framework (Message
Dashboard) Priority: Correction with low priority Released on: 11.04.2023 Components: BC-SRV-AIF Category: Program error |
Low | 3,7 |
3115598 | [CVE-2023-29109] Code Injection vulnerability in SAP Application Interface Framework (Message
Dashboard) Priority: Correction with medium priority Released on: 11.04.2023 Components: BC-SRV-AIF Category: Program error |
Medium | 4,4 |
3114489 | [CVE-2023-29112] Code Injection vulnerability in SAP Application Interface Framework (Message
Monitoring) Priority: Correction with low priority Released on: 11.04.2023 Components: BC-SRV-AIF Category: Program error |
Low | 3,7 |
3298961 | [CVE-2023-28765] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform
(Promotion Management ) Priority: HotNews Released on: 11.04.2023 Components: BI-BIP-LCM Category: Program error |
Hot News | 9,8 |
3309056 | [CVE-2023-27897] Code Injection vulnerability in SAP CRM Priority: Correction with medium priority Released on: 11.04.2023 Components: CRM-BF Category: Program error |
Medium | 6,0 |
3316509 | Remote Code Execution vulnerability in SAP Commerce Priority: Correction with medium priority Released on: 11.04.2023 Components: CEC-COM-CPS-COR Category: Program error |
Medium | 4,7 |
3289994 | [CVE-2023-28761] Missing Authentication check in SAP NetWeaver Enterprise Portal Priority: Correction with medium priority Released on: 11.04.2023 Components: EP-PIN-PRT Category: Program error |
Medium | 6,5 |
3303060 | [CVE-2023-29185] Denial of Service (DOS) in SAP NetWeaver AS for ABAP (Business Server Pages) Priority: Correction with medium priority Released on: 11.04.2023 Components: BC-BSP Category: Program error |
Medium | 5,3 |
3296378 | [CVE-2023-28763] - Denial of Service in SAP NetWeaver AS for ABAP and ABAP Platform Priority: Correction with medium priority Released on: 11.04.2023 Components: BC-MID-AC Category: Program error |
Medium | 6,5 |
3305369 | [CVE-2023-27497] Multiple vulnerabilities in SAP Diagnostics Agent (OSCommand Bridge and
EventLogServiceCollector) Priority: HotNews Released on: 11.04.2023 Components: SV-SMG-DIA-SRV-AGT Category: Program error |
Hot News | 10,0 |
3287784 | [CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service Priority: Correction with medium priority Released on: 11.04.2023 Components: BC-JAS-DPL Category: Program error |
Medium | 5,3 |
3315312 | [CVE-2023-29108] IP filter vulnerability in ABAP Platform and SAP Web Dispatcher Priority: Correction with medium priority Released on: 11.04.2023 Components: BC-CST-IC Category: Consulting |
Medium | 5,0 |
3294595 | [CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP
Platform Priority: HotNews Released on: 14.03.2023 Components: BC-CCM-PRN Category: Program error |
Hot News | 9,6 |