Skip to content
SAP security Patch day

SAP Security Patch Day – March 2023

08f4ab4c66997156c778169c9fc04205?s=96&d=mm&r=g
Christoph Nagy
Managing director
March 14, 2023
5 min read
Chapters

Share Article

On March 14th, SAP released its latest Security Patch Day, an important date for customers of the leading enterprise application provider from Germany, Walldorf, who are concerned about cybersecurity. Detecting missing patches within complex environments can be challenging, but many security-aware SAP customers use intelligent tools to help them. Often, false positives cause significant troubles and waste efforts. Fortunately, SecurityBridge Patch Management for SAP provides a solution that boasts the highest accuracy in the industry.

March 2023 Security Patch Day shines because of the publication of five (5) critical corrections ranging between CVSS 9.0 and 9.9. You can find the full list here. Although the CVSS rating provided by the vendor -SAP- is often doubted by threat intelligence providers, who also correlate field experience such as whether an exploitation script/POC exists or if the vulnerability has been used during active infiltration, this information is helpful for customers to prioritize their patching efforts. Some of the leading providers for Threat Intelligence include Microsoft, Mandiant, and NTT Security.

SAP Security Patches March 2023

In the March SAP Security Patch Day 2023, SAP released 19 (+3 Updates) security corrections, including fixes for its flagship products such as SAP NetWeaver AS for ABAP and ABAP Platform, SAP NetWeaver for Java, and SAP Business Object Business Intelligence Platform.

One of the most critical vulnerabilities resolved in this patch day is the CVSS 9.9 code injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC), addressed by SAP Note 3245526 (listed as CVE-2023-25616). Another critical vulnerability is the improperly handled Access Control in SAP NetWeaver AS Java, which rates a CVSS 9.9 and is resolved by implementing SAP Note 3252433 (listed as CVE-2023-23857). This vulnerability implements a missing authentication check, which allows a threat actor to gain access to the directory of API services. Due to its high likelihood of exploitation, we advise customers to patch this vulnerability as soon as possible.

Another vulnerability fixed with SAP Note 3283438 (listed as CVE-2023-25617) is rated with CVSS 9.6 at Hot News priority, and it is the directory traversal vulnerability in SAPRSBRO Program, which exists in SAP S/4HANA and affects many SAP Versions from 700 all the way up to 757. Customers should prioritize patching this flaw since the effort and complexity of the patch installation is rated low, while the exploitation is likely.

Customers should also combine their patching activity for SAP Note 3294595 (listed as CVE-2023-27269), which fixes another directory traversal vulnerability, but this time in SAP NetWeaver AS for ABAP and ABAP Platform in all versions.

Finally, there are four (4) more SAP Security Patches that resolve vulnerabilities with a High priority rating ranging from 7.2 – 8.8. The SecurityBridge team has reviewed all vulnerabilities, updated the security platform detection signatures, and the cloud backbone.

Here you can learn more about the vulnerability types in the context of SAP. As always, we recommend that customers apply the latest security patches as soon as possible to protect their systems from cyber threats.

Summary by Severity

The March release contains a total of 21 (3 Updates) patches for the following severities:

Severity Number
Hot News
6
High
4
Medium
11
Note Description Severity CVSS
3289844 [CVE-2023-25615] SQL Injection vulnerability in SAP ABAP Platform
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BC-DWB-TOO-TDF
Category: Program error
Medium 6,8
3245526 [CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC)
Priority: HotNews
Released on: 14.03.2023
Components: BI-BIP-CMC
Category: Program error
Hot News 9,9
3283438 [CVE-2023-25617] OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server)
Priority: HotNews
Released on: 14.03.2023
Components: BI-BIP-SRV
Category: Program error
Hot News 9,0
3302710 [CVE-2023-27895] Information Disclosure vulnerability in SAP Authenticator for Android
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BC-IAM-SSO-OTP
Category: Program error
Medium 6,1
3296328 [CVE-2023-27270] Denial of Service (DoS) in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BC-MID-ICF
Category: Program error
Medium 6,5
3294954 [CVE-2023-27501] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: Correction with high priority
Released on: 14.03.2023
Components: BC-CTS-TMS
Category: Program error
High 8,7
3252433 [CVE-2023-23857] Improper Access Control in SAP NetWeaver AS for Java
Priority: HotNews
Released on: 14.03.2023
Components: BC-CST-EQ
Category: Program error
Hot News 9,9
3294595 [CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: HotNews
Released on: 14.03.2023
Components: BC-CCM-PRN
Category: Program error
Hot News 9,6
3296346 [CVE-2023-26459] Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: Correction with high priority
Released on: 14.03.2023
Components: BC-MID-ICF
Category: Program error
High 7,4
3281484 [CVE-2023-26457] Cross-Site Scripting (XSS) vulnerability in SAP Content Server
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BC-SRV-KPR-CS
Category: Program error
Medium 6,1
3274920 [CVE-2023-0021] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BC-CCM-PRN-PC
Category: Program error
Medium 6,1
3302162 [CVE-2023-27500] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: HotNews
Released on: 14.03.2023
Components: BC-DOC-RIT
Category: Program error
Hot News 9,6
3284550 [CVE-2023-26461] XML External Entity (XXE) vulnerability in SAP NetWeaver (SAP Enterprise Portal)
Priority: Correction with medium priority
Released on: 14.03.2023
Components: EP-PIN-PSL
Category: Program error
Medium 6,8
3296476 [CVE-2023-27893] Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems (ST-PI)
Priority: Correction with high priority
Released on: 14.03.2023
Components: SV-SMG-SDD
Category: Program error
High 8,8
3275727 [CVE-2023-27498] Memory Corruption vulnerability in SAPOSCOL
Priority: Correction with high priority
Released on: 14.03.2023
Components: BC-CCM-MON-OS
Category: Program error
High 7,2
3287120 [Multiple CVEs] Multiple vulnerabilities in the SAP BusinessObjects Business Intelligence platform
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BI-BIP-INV
Category: Program error
Medium 6,5
3288480 [CVE-2023-27268] Improper Access Control in SAP NetWeaver AS Java (Object Analyzing Service)
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BC-JAS-COR-SES
Category: Program error
Medium 5,3
3288096 [CVE-2023-26460] Improper Access Control in SAP NetWeaver AS Java (Cache Management Service)
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BC-JAS-COR-CSH
Category: Program error
Medium 5,3
3288394 [CVE-2023-24526] Improper Access Control in SAP NetWeaver AS Java (Classload Service)
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BC-JAS-COR
Category: Program error
Medium 5,3
3273480 [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search)
Priority: HotNews
Released on: 13.12.2022
Components: BC-XI-CON-UDS
Category: Program error
Hot News 9,9
3274585 [CVE-2023-25614] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework)
Priority: Correction with medium priority
Released on: 14.02.2023
Components: BC-BSP
Category: Program error
Medium 6,1