SAP Security Patch Day – January 2023
As we start the New Year, it is important for organizations to make sure that their systems are secure and up-to-date with the latest security patches. On January 10th, 2023, the SAP Response Team released several security patches as part of the monthly SAP Security Patch Day to address various vulnerabilities in their products. In this article, we will highlight the most important patches released and the potential risks they address to help you make informed decisions about applying these updates to your systems. We would like to extend our warmest Happy New Year greetings to all our SAP customers, and remind them of the importance of keeping their systems secure and up-to-date to protect against potential cyber-attacks.
SAP Security Patches December 2022
On January 10, 2023, SAP released several security patches for their products as part of the monthly SAP Security Patch Day. The following HotNews patches were released:
- SNote 3262810, titled “Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP)”, addresses a vulnerability with a CVSS score of 9.9. SAP BusinessObjects Business Intelligence platform, especially the OLAP Analysis edition is made to for analysis and visualization of large amounts of data, identify trends and patterns, and make informed business decisions. Depending on the sensitivity of data processed by the application, the patch should be installed timely.
- SNote 3268093, titled “Improper access control in SAP NetWeaver AS for Java”, addresses a vulnerability with a CVSS score of 9.4. An attacker who is not authorized to access a system can exploit an unsecured interface and use a directory application programming interface (API) that is open to the public to access services on the system. This can lead to unauthorized actions that may have an impact on the users and data of the system. The attacker can potentially gain full read access to users’ data, change users’ data and block certain services of the system. Since this HotNews vulnerability resides within the flagship product of SAP, many customers may be impacted.
- SNote 3089413, titled “Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform”, addresses a vulnerability with a CVSS score of 9.0. A Capture-replay vulnerability is a type of vulnerability that allows an attacker to intercept and record communications between a user and a system, and then replay that recorded communication at a later time. The attacker can use this recorded communication to impersonate the user and gain unauthorized access to the system or perform unauthorized actions. Since this HotNews vulnerability resides within the flagship product of SAP, many customers may be impacted.
- SNote 3275391, titled “SQL Injection vulnerability in SAP Business Planning and Consolidation MS”, addresses a vulnerability with a CVSS score of 9.9. SAP Business Planning and Consolidation (BPC) MS is a software solution offered by SAP that enables organizations to plan, budget, forecast, and consolidate their financial and operational data. It is designed to provide a single, integrated platform for financial consolidation, planning, and forecasting, using both financial and operational data. BPC MS uses a multidimensional database, allowing users to access and analyze data across multiple dimensions, and perform complex calculations with ease. It allows companies to integrate financial and operational data, providing a comprehensive view of performance, and to model various scenarios, to identify the best course of action. BPC MS can integrate with other SAP systems, such as SAP ECC, SAP S/4HANA, and SAP BW, to provide a complete picture of the organization’s financial and operational performance.
Due to the severity of this vulnerability and given the possibility of integration with the core SAP environments our experts recommend to implement the patch with priority.
- SNote 3243924, titled “Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad)”, addresses a vulnerability with a CVSS score of 9.9 and was first released on November 8, 2022. Insecure Deserialization of Untrusted Data is a vulnerability that occurs when an application deserializes data that is not properly validated and authenticated, leading to unintended execution of code, potentially leading to a wide range of security risks. Depending on the sensitivity of data processed by the application, the patch should be installed timely.
It is important to timely patch enterprise critical SAP applications for several reasons. Cyberattacks are becoming increasingly sophisticated and frequent, and timely patching is essential to ensure that known vulnerabilities are addressed, and systems are protected against potential attacks.
Also, many organizations are subject to various regulations and standards that require them to keep their systems up-to-date with security patches, such as GDPR, PCI-DSS, HIPAA, and SOX.
Furthermore, enterprise critical SAP applications are vital to the day-to-day operations of the business, and patching ensures that they continue to operate smoothly and without interruption.
Do not forget about, unpatched systems are more susceptible to data breaches and loss of sensitive information, timely patching helps to prevent data loss and maintain the confidentiality, integrity, and availability of data.
In summary, timely patching of enterprise critical SAP applications is critical to maintain the security, integrity and availability of the application and the data they hold, and to ensure the business continuity and compliance with the regulations.
Summary by Severity
The January release contains a total of 10 patches for the following severities: