Skip to content
Linkedin Twitter Facebook Xing
< Back to Overview

SAP Security Patch Day – February 2023

SAP security Patch day

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
View Advisory for Jan'23

On February 14th, 2023, SAP released their monthly product patches with significant security implications to their customers. SAP’s product portfolio is extensive and widely used by organizations to process critical business information. As a result, many businesses have established a regular and precise patch cycle, which typically begins with SAP’s Security Patch Day.

To ensure the utmost security, clients manually search for newly released security patches and scan their content. This effort requires sorting and filtering patches by relevance and priority. Once this is done, the implementation can commence. Most of the time, the SAP transaction code SNOTE is used to download and install the patch. However, this process requires expert knowledge and is not comparable to Windows’ automatic update.

Ivan webinar
nipun

Webinar

Why SAP Security Patching isn't like Windows updates

Check the webinar recording here

Once the patch is installed, it can only be deployed into the development stack. The patch must undergo successful testing in the testing environment before promoting it into the production system. During a specific maintenance window, the critical correction(s) can be implemented into the production system to avoid any disruption to business operations.

The cycle starts again today, as it is the SAP Security Patch Day of February 2023.

SAP Security Patches February 2023

Today, we are highlighting the key updates released during SAP’s Security Patch Day in February 2023.

  • SNote 20622600, titled “Security updates for the browser control Google Chromium delivered with SAP Business Client”, addresses a vulnerability with a CVSS score of 10.0. Google Chrome in SAP Business Client receives monthly updates. However, the scoring for vulnerabilities is often high, and therefore, the associated risks should not be underestimated. Depending on the sensitivity of the data processed by the application, the patch should be installed promptly.

Fortunately, this was the only SAP Security Patch that received HotNews status. However, the Patch Release contains four additional patches with high priority.

White Paper - Bridging the Gap How SecurityBridge Supports NIST CSF in SAP Environments
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.
  • SNote 3271091, titled “Privilege escalation vulnerability in SAP Business Planning and Consolidation”, addresses a vulnerability with a CVSS score of 8.5. The patch was updated an Version 6 is available. A malicious user may execute unauthorized transaction functionality. Under specific circumstances, a successful attack could enable an adversary to escalate their privileges to be able to read, change or delete system data. We recommend to implement the update of the previous version to ensure the patch offers effective protection.

  • SNote 3256787, titled “Unrestricted Upload of File in SAP BusinessObjects Business Intelligence Platform”, addresses a vulnerability with a CVSS score of 8.4. Only authenticated and privileged accounts can be used to exploit this vulnerability. On successful exploitation however, attacker can perform operations that may completely compromise the application causing high impact on confidentiality, integrity and availability of the application.
    Depending on the sensitivity of the data processed by the application, the patch should be installed promptly.

  • SNote 3285757, titled “Privilege Escalation vulnerability in SAP Host Agent (Start Service)”, addresses a vulnerability with a CVSS score of 8.8. A non-admin user with local access to a server port assigned to the SAP Host Agent Service can execute an operating system command with admin privileges by submitting a specially crafted webservice request. This command can access and modify user and system data, potentially cause system outage.
    It is highly recommended to implement the security patch immediately in order to address this vulnerability and prevent potential exploitation.

  • SNote 3263135, titled “Information disclosure vulnerability in SAP BusinessObjects Business Intelligence platform”, addresses a vulnerability with a CVSS score of 8.5. An authenticated attacker can gain access to restricted sensitive information through SAP BusinessObjects Business Intelligence platform. Exploiting this information disclosure vulnerability could result in a significant impact on confidentiality and a limited impact on the application’s integrity.
    It is recommended to implement the security patch in a timely manner to elemeniate this vulnerability and prevent potential exploitation.

Summary by Severity

The February release contains a total of 24 patches for the following severities:

Severity Number
Hot News
 1
High
 4
Medium
 18
Low
 1
Note Description Severity CVSS
2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client
Priority: HotNews
Released on: 10.04.2018
Components: BC-FES-BUS-DSK
Category: Program error		 Hot News 10,0
3271091 [CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation
Priority: Correction with high priority
Released on: 13.12.2022
Components: EPM-BPC-NW
Category: Program error		 High 8,5
3256787 [CVE-2023-24530] Unrestricted Upload of File in SAP BusinessObjects Business Intelligence Platform (CMC)
Priority: Correction with high priority
Released on: 14.02.2023
Components: BI-BIP-CMC
Category: Program error		 High 8,4
3287291 [CVE-2023-23854] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform
Priority: Correction with low priority
Released on: 14.02.2023
Components: BC-DWB-TOO-ABA
Category: Program error		 Low 3,8
3285757 [CVE-2023-24523] Privilege Escalation vulnerability in SAP Host Agent (Start Service)
Priority: Correction with high priority
Released on: 14.02.2023
Components: BC-CCM-HAG
Category: Program error		 High 8,8
2788178 [CVE-2023-24525] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI
Priority: Correction with medium priority
Released on: 14.02.2023
Components: CA-WUI-UI-TAG
Category: Program error		 Medium 4,3
2985905 [CVE-2023-24524] Missing Authorization check in SAP S/4 HANA Map Treasury Correspondence Format Data
Priority: Correction with medium priority
Released on: 14.02.2023
Components: CA-GTF-CSC-DME
Category: Program error		 Medium 6,5
3275841 [CVE-2023-23851] Unrestricted File Upload in SAP Business Planning and Consolidation
Priority: Correction with medium priority
Released on: 14.02.2023
Components: EPM-BPC-NW-INF
Category: Program error 		Medium 5,4
3293786 [CVE-2023-23858] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 14.02.2023
Components: BC-ABA-LA
Category: Program error		 Medium 6,1
3281724 [CVE-2023-0019] Missing Authorization check in SAP GRC (Process Control)
Priority: Correction with medium priority
Released on: 14.02.2023
Components: GRC-SPC-AC
Category: Program error		 Medium 6,5
3290901 [CVE-2023-24528] Missing Authorization Check in SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests)
Priority: Correction with medium priority
Released on: 14.02.2023
Components: FI-TV-ODT-MTR
Category: Program error		 Medium 6,5
3282663 [CVE-2023-24529] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages application)
Priority: Correction with medium priority
Released on: 14.02.2023
Components: CA-GTF-PCF
Category: Program error		 Medium 6,1
3274585 [CVE-2023-25614] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework)
Priority: Correction with medium priority
Released on: 14.02.2023
Components: BC-BSP
Category: Program error		 Medium 6,1
3269118 [CVE-2023-24522] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework)
Priority: Correction with medium priority
Released on: 14.02.2023
Components: BC-BSP
Category: Program error		 Medium 6,1
3269151 [CVE-2023-24521] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework)
Priority: Correction with medium priority
Released on: 14.02.2023
Components: BC-BSP
Category: Program error		 Medium 6,1
3271227 [CVE-2023-23853] URL Redirection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 14.02.2023
Components: BC-MID-ICF
Category: Program error		 Medium 6,1
3268959 [Multiple CVEs] Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 14.02.2023
Components: BC-MID-AC
Category: Program error		 Medium 6,1
3266751 [CVE-2023-23852] Cross-Site Scripting (XSS) vulnerability in SAP Solution Manager 7.2
Priority: Correction with medium priority
Released on: 14.02.2023
Components: SV-SMG-MON-SYS
Category: Program error		 Medium 6,1
3265846 [CVE-2023-0024] Cross Site Scripting in SAP Solution Manager (BSP Application)
Priority: Correction with medium priority
Released on: 14.02.2023
Components: SV-SMG-SVD-SWB
Category: Program error		 Medium 6,5
3267442 [CVE-2023-0025] Cross Site Scripting in SAP Solution Manager (BSP Application)
Priority: Correction with medium priority
Released on: 14.02.2023
Components: SV-SMG-SVD-SWB
Category: Program error		 Medium 6,5
3270509 [CVE-2023-23855] URL Redirection vulnerability in SAP Solution Manager
Priority: Correction with medium priority
Released on: 14.02.2023
Components: SV-SMG-OP
Category: Program error		 Medium 6,5
3263135 [CVE-2023-0020] Information disclosure vulnerability in SAP BusinessObjects Business Intelligence platform
Priority: Correction with high priority
Released on: 14.02.2023
Components: BI-BIP-INV
Category: Program error		 High 8,5
3263863 [CVE-2023-23856] Cross-Site Scripting (XSS) vulnerability in Web Intelligence Interface
Priority: Correction with medium priority
Released on: 14.02.2023
Components: BI-RA-WBI-FE
Category: Program error		 Medium 4,3
3262544 [CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BC-JAS-WEB
Category: Program error		 Medium 6,1
SAP vulnerability

Top 10 Vulnerabilities in SAP

SAP Vulnerability
As we know, SAP (Systems, Applications, and Products in Data Processing) is a widely used enterprise resource planning (ERP) software suite that helps organizations manage various business operations. No digital system is secure by nature or by default - there will always be security challenges, and SAP is no exception. In this article, we discuss the Top 10 vulnerabilities in SAP – how they affect the security of an SAP system, and finally, how to identify and manage them with SecurityBridge.
SAP security Patch day

SAP Security Patch Day – September 2023

SAP Security Patch Day
Today, September 12th, 2023 brings the release of SAP Security Patches for the extensive enterprise application portfolio developed by the Walldorf giant. SAP released 13 new Security Notes and provided 5 updates to previously released Security Notes.
Leadership team

Working Together for Greater SAP Security: SecurityBridge and Protect4S are Joining Forces

Press coverage- Security News
SecurityBridge, a leading provider of cybersecurity solutions for SAP customers, acquired Dutch SAP security specialist Protect4S. Through the acquisition, customers will benefit from an even more comprehensive one-stop-shop software platform that will improve every SAP customer’s security position across all technology stacks.