SAP Security Patch Day – March 2023
Chapters
Share Article
On March 14th, SAP released its latest Security Patch Day, an important date for customers of the leading enterprise application provider from Germany, Walldorf, who are concerned about cybersecurity. Detecting missing patches within complex environments can be challenging, but many security-aware SAP customers use intelligent tools to help them. Often, false positives cause significant troubles and waste efforts. Fortunately, SecurityBridge Patch Management for SAP provides a solution that boasts the highest accuracy in the industry.
March 2023 Security Patch Day shines because of the publication of five (5) critical corrections ranging between CVSS 9.0 and 9.9. You can find the full list here. Although the CVSS rating provided by the vendor -SAP- is often doubted by threat intelligence providers, who also correlate field experience such as whether an exploitation script/POC exists or if the vulnerability has been used during active infiltration, this information is helpful for customers to prioritize their patching efforts. Some of the leading providers for Threat Intelligence include Microsoft, Mandiant, and NTT Security.
SAP Security Patches March 2023
In the March SAP Security Patch Day 2023, SAP released 19 (+3 Updates) security corrections, including fixes for its flagship products such as SAP NetWeaver AS for ABAP and ABAP Platform, SAP NetWeaver for Java, and SAP Business Object Business Intelligence Platform.
One of the most critical vulnerabilities resolved in this patch day is the CVSS 9.9 code injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC), addressed by SAP Note 3245526 (listed as CVE-2023-25616). Another critical vulnerability is the improperly handled Access Control in SAP NetWeaver AS Java, which rates a CVSS 9.9 and is resolved by implementing SAP Note 3252433 (listed as CVE-2023-23857). This vulnerability implements a missing authentication check, which allows a threat actor to gain access to the directory of API services. Due to its high likelihood of exploitation, we advise customers to patch this vulnerability as soon as possible.
Another vulnerability fixed with SAP Note 3283438 (listed as CVE-2023-25617) is rated with CVSS 9.6 at Hot News priority, and it is the directory traversal vulnerability in SAPRSBRO Program, which exists in SAP S/4HANA and affects many SAP Versions from 700 all the way up to 757. Customers should prioritize patching this flaw since the effort and complexity of the patch installation is rated low, while the exploitation is likely.
Customers should also combine their patching activity for SAP Note 3294595 (listed as CVE-2023-27269), which fixes another directory traversal vulnerability, but this time in SAP NetWeaver AS for ABAP and ABAP Platform in all versions.
Finally, there are four (4) more SAP Security Patches that resolve vulnerabilities with a High priority rating ranging from 7.2 – 8.8. The SecurityBridge team has reviewed all vulnerabilities, updated the security platform detection signatures, and the cloud backbone.
Here you can learn more about the vulnerability types in the context of SAP. As always, we recommend that customers apply the latest security patches as soon as possible to protect their systems from cyber threats.
Summary by Severity
The March release contains a total of 21 (3 Updates) patches for the following severities:
Severity | Number |
---|---|
Hot News
|
6 |
High
|
4 |
Medium
|
11 |
Note | Description | Severity | CVSS |
---|---|---|---|
3289844 | [CVE-2023-25615] SQL Injection vulnerability in SAP ABAP Platform Priority: Correction with medium priority Released on: 14.03.2023 Components: BC-DWB-TOO-TDF Category: Program error |
Medium | 6,8 |
3245526 | [CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform
(CMC) Priority: HotNews Released on: 14.03.2023 Components: BI-BIP-CMC Category: Program error |
Hot News | 9,9 |
3283438 | [CVE-2023-25617] OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform
(Adaptive Job Server) Priority: HotNews Released on: 14.03.2023 Components: BI-BIP-SRV Category: Program error |
Hot News | 9,0 |
3302710 | [CVE-2023-27895] Information Disclosure vulnerability in SAP Authenticator for Android Priority: Correction with medium priority Released on: 14.03.2023 Components: BC-IAM-SSO-OTP Category: Program error |
Medium | 6,1 |
3296328 | [CVE-2023-27270] Denial of Service (DoS) in SAP NetWeaver AS for ABAP and ABAP Platform Priority: Correction with medium priority Released on: 14.03.2023 Components: BC-MID-ICF Category: Program error |
Medium | 6,5 |
3294954 | [CVE-2023-27501] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP
Platform Priority: Correction with high priority Released on: 14.03.2023 Components: BC-CTS-TMS Category: Program error |
High | 8,7 |
3252433 | [CVE-2023-23857] Improper Access Control in SAP NetWeaver AS for Java Priority: HotNews Released on: 14.03.2023 Components: BC-CST-EQ Category: Program error |
Hot News | 9,9 |
3294595 | [CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP
Platform Priority: HotNews Released on: 14.03.2023 Components: BC-CCM-PRN Category: Program error |
Hot News | 9,6 |
3296346 | [CVE-2023-26459] Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform Priority: Correction with high priority Released on: 14.03.2023 Components: BC-MID-ICF Category: Program error |
High | 7,4 |
3281484 | [CVE-2023-26457] Cross-Site Scripting (XSS) vulnerability in SAP Content Server Priority: Correction with medium priority Released on: 14.03.2023 Components: BC-SRV-KPR-CS Category: Program error |
Medium | 6,1 |
3274920 | [CVE-2023-0021] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Priority: Correction with medium priority Released on: 14.03.2023 Components: BC-CCM-PRN-PC Category: Program error |
Medium | 6,1 |
3302162 | [CVE-2023-27500] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP
Platform Priority: HotNews Released on: 14.03.2023 Components: BC-DOC-RIT Category: Program error |
Hot News | 9,6 |
3284550 | [CVE-2023-26461] XML External Entity (XXE) vulnerability in SAP NetWeaver (SAP Enterprise
Portal) Priority: Correction with medium priority Released on: 14.03.2023 Components: EP-PIN-PSL Category: Program error |
Medium | 6,8 |
3296476 | [CVE-2023-27893] Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems
(ST-PI) Priority: Correction with high priority Released on: 14.03.2023 Components: SV-SMG-SDD Category: Program error |
High | 8,8 |
3275727 | [CVE-2023-27498] Memory Corruption vulnerability in SAPOSCOL Priority: Correction with high priority Released on: 14.03.2023 Components: BC-CCM-MON-OS Category: Program error |
High | 7,2 |
3287120 | [Multiple CVEs] Multiple vulnerabilities in the SAP BusinessObjects Business Intelligence
platform Priority: Correction with medium priority Released on: 14.03.2023 Components: BI-BIP-INV Category: Program error |
Medium | 6,5 |
3288480 | [CVE-2023-27268] Improper Access Control in SAP NetWeaver AS Java (Object Analyzing Service) Priority: Correction with medium priority Released on: 14.03.2023 Components: BC-JAS-COR-SES Category: Program error |
Medium | 5,3 |
3288096 | [CVE-2023-26460] Improper Access Control in SAP NetWeaver AS Java (Cache Management Service) Priority: Correction with medium priority Released on: 14.03.2023 Components: BC-JAS-COR-CSH Category: Program error |
Medium | 5,3 |
3288394 | [CVE-2023-24526] Improper Access Control in SAP NetWeaver AS Java (Classload Service) Priority: Correction with medium priority Released on: 14.03.2023 Components: BC-JAS-COR Category: Program error |
Medium | 5,3 |
3273480 | [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search) Priority: HotNews Released on: 13.12.2022 Components: BC-XI-CON-UDS Category: Program error |
Hot News | 9,9 |
3274585 | [CVE-2023-25614] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP
Framework) Priority: Correction with medium priority Released on: 14.02.2023 Components: BC-BSP Category: Program error |
Medium | 6,1 |