Skip to content
Linkedin Twitter Facebook Xing
< Back to Overview

SAP Security Patch Day – January 2023

SAP security Patch day

As we start the New Year, it is important for organizations to make sure that their systems are secure and up-to-date with the latest security patches. On January 10th, 2023, the SAP Response Team released several security patches as part of the monthly SAP Security Patch Day to address various vulnerabilities in their products. In this article, we will highlight the most important patches released and the potential risks they address to help you make informed decisions about applying these updates to your systems. We would like to extend our warmest Happy New Year greetings to all our SAP customers, and remind them of the importance of keeping their systems secure and up-to-date to protect against potential cyber-attacks.

SAP Security Patches December 2022

On January 10, 2023, SAP released several security patches for their products as part of the monthly SAP Security Patch Day. The following HotNews patches were released:

  • SNote 3262810, titled “Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP)”, addresses a vulnerability with a CVSS score of 9.9. SAP BusinessObjects Business Intelligence platform, especially the OLAP Analysis edition is made to for analysis and visualization of large amounts of data, identify trends and patterns, and make informed business decisions. Depending on the sensitivity of data processed by the application, the patch should be installed timely.

  • SNote 3268093, titled “Improper access control in SAP NetWeaver AS for Java”, addresses a vulnerability with a CVSS score of 9.4. An attacker who is not authorized to access a system can exploit an unsecured interface and use a directory application programming interface (API) that is open to the public to access services on the system. This can lead to unauthorized actions that may have an impact on the users and data of the system. The attacker can potentially gain full read access to users’ data, change users’ data and block certain services of the system. Since this HotNews vulnerability resides within the flagship product of SAP, many customers may be impacted.

  • SNote 3089413, titled “Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform”, addresses a vulnerability with a CVSS score of 9.0. A Capture-replay vulnerability is a type of vulnerability that allows an attacker to intercept and record communications between a user and a system, and then replay that recorded communication at a later time. The attacker can use this recorded communication to impersonate the user and gain unauthorized access to the system or perform unauthorized actions. Since this HotNews vulnerability resides within the flagship product of SAP, many customers may be impacted. 

  • SNote 3275391, titled “SQL Injection vulnerability in SAP Business Planning and Consolidation MS”, addresses a vulnerability with a CVSS score of 9.9. SAP Business Planning and Consolidation (BPC) MS is a software solution offered by SAP that enables organizations to plan, budget, forecast, and consolidate their financial and operational data. It is designed to provide a single, integrated platform for financial consolidation, planning, and forecasting, using both financial and operational data. BPC MS uses a multidimensional database, allowing users to access and analyze data across multiple dimensions, and perform complex calculations with ease. It allows companies to integrate financial and operational data, providing a comprehensive view of performance, and to model various scenarios, to identify the best course of action. BPC MS can integrate with other SAP systems, such as SAP ECC, SAP S/4HANA, and SAP BW, to provide a complete picture of the organization’s financial and operational performance. 
    Due to the severity of this vulnerability and given the possibility of integration with the core SAP environments our experts recommend to implement the patch with priority.

  • SNote 3243924, titled “Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad)”, addresses a vulnerability with a CVSS score of 9.9 and was first released on November 8, 2022. Insecure Deserialization of Untrusted Data is a vulnerability that occurs when an application deserializes data that is not properly validated and authenticated, leading to unintended execution of code, potentially leading to a wide range of security risks.  Depending on the sensitivity of data processed by the application, the patch should be installed timely.

It is important to timely patch enterprise critical SAP applications for several reasons. Cyberattacks are becoming increasingly sophisticated and frequent, and timely patching is essential to ensure that known vulnerabilities are addressed, and systems are protected against potential attacks.

Also, many organizations are subject to various regulations and standards that require them to keep their systems up-to-date with security patches, such as GDPR, PCI-DSS, HIPAA, and SOX.

Furthermore, enterprise critical SAP applications are vital to the day-to-day operations of the business, and patching ensures that they continue to operate smoothly and without interruption.

Do not forget about, unpatched systems are more susceptible to data breaches and loss of sensitive information, timely patching helps to prevent data loss and maintain the confidentiality, integrity, and availability of data.

In summary, timely patching of enterprise critical SAP applications is critical to maintain the security, integrity and availability of the application and the data they hold, and to ensure the business continuity and compliance with the regulations.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Request a Demo

Summary by Severity

The January release contains a total of 10 patches for the following severities:

Severity Number
Hot News
 5
High
 0
Medium
 5
Note Description Severity CVSS
3262810 [CVE-2023-0022] Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP)
Priority: HotNews
Released on: 10.01.2023
Components: BI-RA-AWB
Category: Program error		 Hot News 9,9
3150704 [CVE-2023-0023] Information Disclosure in SAP Bank Account Management (Manage Banks)
Priority: Correction with medium priority
Released on: 10.01.2023
Components: FIN-FSCM-CLM-BAM
Category: Program error 		Medium 4,5
3283283 [CVE-2023-0013] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 10.01.2023
Components: BC-ABA-LA
Category: Program error		 Medium 6,1
3268093 [CVE-2023-0017] Improper access control in SAP NetWeaver AS for Java
Priority: HotNews
Released on: 10.01.2023
Components: BC-MID-CON-JCO
Category: Program error		 Hot News 9,4
3266006 [CVE-2023-0018] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console)
Priority: Correction with medium priority
Released on: 10.01.2023
Components: BI-RA-CR
Category: Program error		 Medium 5,4
3089413 [CVE-2023-0014] Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: HotNews
Released on: 10.01.2023
Components: BC-MID-RFC
Category: Program error		 Hot News 9,0
3275391 [CVE-2023-0016] SQL Injection vulnerability in SAP Business Planning and Consolidation MS
Priority: HotNews
Released on: 10.01.2023
Components: EPM-BPC-MS
Category: Program error		 Hot News 9,9
3251447 [CVE-2023-0015] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (Web Intelligence)
Priority: Correction with medium priority
Released on: 10.01.2023
Components: BI-RA-WBI-FE
Category: Program error		 Medium 4,6
3276120 [CVE-2023-0012] Local Privilege Escalation in SAP Host Agent (Windows)
Priority: Correction with medium priority
Released on: 10.01.2023
Components: BC-CCM-HAG
Category: Program error		 Medium 6,4
3243924 [CVE-2022-41203] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad)
Priority: HotNews
Released on: 08.11.2022
Components: BI-RA-WBI-FE
Category: Program error		 Hot News 9,9

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
View Advisory for Dec'22
whitepaper SAP Fiori
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

Webcast – Protect your SAP from Ransomware Attacks

We cordially invite you to participate in our webcast on April 10th at 14:30 CET. This exclusive event is a joint initiative of SecurityBridge in cooperation with BowBridge and Log2 and will allow you to listen to exciting insights from top-class experts.
Learn more
Sales & Partner Manager APAC Singapore

Sales & Partner Manager – APAC Market (Singapore)

Careers
We are expanding our operation in the APAC region and are looking for an experienced Sales & Partner Manager to join our team in Singapore. The ideal candidate will have at least 5 years of experience in sales, with a focus on software sales, SAP security, or cybersecurity.
Pre-Sales Consultant APAC Singapore

Pre-Sales Consultant – APAC Singapore

Careers
As a Pre-Sales Consultant at SecurityBridge, you will be instrumental in our rapid expansion within the APAC region. You will directly contribute to the growth of our innovative SAP security solution, SecurityBridge.
SAP Security Patch Tuesday 2024

SAP Security Patch Day – April 2024

SAP Security Patch Day
For April 2024, 10 new Security Notes have been released and 2 have been updated. What stands out is that there are no ‘Hot News’ notes in this release. But let that not be a reason to ‘lower your guard’! We explore some interesting highlights below.