Skip to content

SAP Security Patch Day – January 2023

SAP security Patch day

As we start the New Year, it is important for organizations to make sure that their systems are secure and up-to-date with the latest security patches. On January 10th, 2023, the SAP Response Team released several security patches as part of the monthly SAP Security Patch Day to address various vulnerabilities in their products. In this article, we will highlight the most important patches released and the potential risks they address to help you make informed decisions about applying these updates to your systems. We would like to extend our warmest Happy New Year greetings to all our SAP customers, and remind them of the importance of keeping their systems secure and up-to-date to protect against potential cyber-attacks.

SAP Security Patches December 2022

On January 10, 2023, SAP released several security patches for their products as part of the monthly SAP Security Patch Day. The following HotNews patches were released:

  • SNote 3262810, titled “Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP)”, addresses a vulnerability with a CVSS score of 9.9. SAP BusinessObjects Business Intelligence platform, especially the OLAP Analysis edition is made to for analysis and visualization of large amounts of data, identify trends and patterns, and make informed business decisions. Depending on the sensitivity of data processed by the application, the patch should be installed timely.

  • SNote 3268093, titled “Improper access control in SAP NetWeaver AS for Java”, addresses a vulnerability with a CVSS score of 9.4. An attacker who is not authorized to access a system can exploit an unsecured interface and use a directory application programming interface (API) that is open to the public to access services on the system. This can lead to unauthorized actions that may have an impact on the users and data of the system. The attacker can potentially gain full read access to users’ data, change users’ data and block certain services of the system. Since this HotNews vulnerability resides within the flagship product of SAP, many customers may be impacted.

  • SNote 3089413, titled “Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform”, addresses a vulnerability with a CVSS score of 9.0. A Capture-replay vulnerability is a type of vulnerability that allows an attacker to intercept and record communications between a user and a system, and then replay that recorded communication at a later time. The attacker can use this recorded communication to impersonate the user and gain unauthorized access to the system or perform unauthorized actions. Since this HotNews vulnerability resides within the flagship product of SAP, many customers may be impacted. 

  • SNote 3275391, titled “SQL Injection vulnerability in SAP Business Planning and Consolidation MS”, addresses a vulnerability with a CVSS score of 9.9. SAP Business Planning and Consolidation (BPC) MS is a software solution offered by SAP that enables organizations to plan, budget, forecast, and consolidate their financial and operational data. It is designed to provide a single, integrated platform for financial consolidation, planning, and forecasting, using both financial and operational data. BPC MS uses a multidimensional database, allowing users to access and analyze data across multiple dimensions, and perform complex calculations with ease. It allows companies to integrate financial and operational data, providing a comprehensive view of performance, and to model various scenarios, to identify the best course of action. BPC MS can integrate with other SAP systems, such as SAP ECC, SAP S/4HANA, and SAP BW, to provide a complete picture of the organization’s financial and operational performance. 
    Due to the severity of this vulnerability and given the possibility of integration with the core SAP environments our experts recommend to implement the patch with priority.

  • SNote 3243924, titled “Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad)”, addresses a vulnerability with a CVSS score of 9.9 and was first released on November 8, 2022. Insecure Deserialization of Untrusted Data is a vulnerability that occurs when an application deserializes data that is not properly validated and authenticated, leading to unintended execution of code, potentially leading to a wide range of security risks.  Depending on the sensitivity of data processed by the application, the patch should be installed timely.

It is important to timely patch enterprise critical SAP applications for several reasons. Cyberattacks are becoming increasingly sophisticated and frequent, and timely patching is essential to ensure that known vulnerabilities are addressed, and systems are protected against potential attacks.

Also, many organizations are subject to various regulations and standards that require them to keep their systems up-to-date with security patches, such as GDPR, PCI-DSS, HIPAA, and SOX.

Furthermore, enterprise critical SAP applications are vital to the day-to-day operations of the business, and patching ensures that they continue to operate smoothly and without interruption.

Do not forget about, unpatched systems are more susceptible to data breaches and loss of sensitive information, timely patching helps to prevent data loss and maintain the confidentiality, integrity, and availability of data.

In summary, timely patching of enterprise critical SAP applications is critical to maintain the security, integrity and availability of the application and the data they hold, and to ensure the business continuity and compliance with the regulations.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The January release contains a total of 10 patches for the following severities:

SeverityNumber
Hot News
5
High
0
Medium
5
NoteDescriptionSeverityCVSS
3262810[CVE-2023-0022] Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP)
Priority: HotNews
Released on: 10.01.2023
Components: BI-RA-AWB
Category: Program error
Hot News9,9
3150704[CVE-2023-0023] Information Disclosure in SAP Bank Account Management (Manage Banks)
Priority: Correction with medium priority
Released on: 10.01.2023
Components: FIN-FSCM-CLM-BAM
Category: Program error
Medium4,5
3283283[CVE-2023-0013] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 10.01.2023
Components: BC-ABA-LA
Category: Program error
Medium6,1
3268093[CVE-2023-0017] Improper access control in SAP NetWeaver AS for Java
Priority: HotNews
Released on: 10.01.2023
Components: BC-MID-CON-JCO
Category: Program error
Hot News9,4
3266006[CVE-2023-0018] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console)
Priority: Correction with medium priority
Released on: 10.01.2023
Components: BI-RA-CR
Category: Program error
Medium5,4
3089413[CVE-2023-0014] Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: HotNews
Released on: 10.01.2023
Components: BC-MID-RFC
Category: Program error
Hot News9,0
3275391[CVE-2023-0016] SQL Injection vulnerability in SAP Business Planning and Consolidation MS
Priority: HotNews
Released on: 10.01.2023
Components: EPM-BPC-MS
Category: Program error
Hot News9,9
3251447[CVE-2023-0015] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (Web Intelligence)
Priority: Correction with medium priority
Released on: 10.01.2023
Components: BI-RA-WBI-FE
Category: Program error
Medium4,6
3276120[CVE-2023-0012] Local Privilege Escalation in SAP Host Agent (Windows)
Priority: Correction with medium priority
Released on: 10.01.2023
Components: BC-CCM-HAG
Category: Program error
Medium6,4
3243924[CVE-2022-41203] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad)
Priority: HotNews
Released on: 08.11.2022
Components: BI-RA-WBI-FE
Category: Program error
Hot News9,9

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “Which cybersecurity framework is the best fit for SAP application security?” to learn more about the available frameworks, the challenges when adopting a framework, and more.

SecurityBridge at the DSAG Technologietage 2023

SecurityBridge will be attending the DSAG Technologietage 2023 from March 22nd-23rd at the Congress Center Rosengarten in Mannheim.
SAP Cyber risk
SAP Cybersecurity- Security News
Businesses must be more cautious to protect themselves from cyber threats as digitalization and the use of SAP systems increase. SAP S/4HANA is critical for many enterprises as it provides the foundation for business operations. As digitalization and Industry 4.0 continue to increase, SAP S/4HANA lays the foundation for many modern business scenarios. SAP systems are important for many industries and their security is a major concern, making them vulnerable to cyber attackers. This article will discuss cyber risks and how you can assess your individual and organizational SAP systems' risks. What are cyber risks?
Common SAP Patches
SAP Cybersecurity- SAP Patch Management- SAP Security Patch Day- Security News
Installing SAP patches is crucial for maintaining a robust and secure enterprise resource planning (ERP) system. SAP, one of the leading ERP systems in the world, is constantly evolving to meet the changing needs of businesses. As a result, SAP releases various patches to address issues and enhance the functionality of its software. However, installing SAP patches can present challenges for IT teams, such as ensuring minimal disruption to business operations, managing risks, and testing the non-implemented patches. This article will discuss the three most common types of SAP patches- kernel patches, snote patches, and support packs - and the best practices for installing them.
SAP interfaces
SAP Cybersecurity- SAP Interface- Security News
In this blog article, we will explore the importance of SAP interface security and discuss the various measures businesses can take to protect their systems and data. We will also examine some common threats to SAP interfaces and how to mitigate them. To safeguard your business, you need to understand the importance of SAP interface security and take steps to make your interfaces secure. 
SAP security Patch day
10th January 2023 SAP response team sends some Happy New Year greeting to the SAP Security Teams, by releasing 10 SAP Security Notes.