Skip to content

SAP Security Patch Day – March 2023

SAP security Patch day

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©

On March 14th, SAP released its latest Security Patch Day, an important date for customers of the leading enterprise application provider from Germany, Walldorf, who are concerned about cybersecurity. Detecting missing patches within complex environments can be challenging, but many security-aware SAP customers use intelligent tools to help them. Often, false positives cause significant troubles and waste efforts. Fortunately, SecurityBridge Patch Management for SAP provides a solution that boasts the highest accuracy in the industry.

SAP Patch Management

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

March 2023 Security Patch Day shines because of the publication of five (5) critical corrections ranging between CVSS 9.0 and 9.9. You can find the full list here. Although the CVSS rating provided by the vendor -SAP- is often doubted by threat intelligence providers, who also correlate field experience such as whether an exploitation script/POC exists or if the vulnerability has been used during active infiltration, this information is helpful for customers to prioritize their patching efforts. Some of the leading providers for Threat Intelligence include Microsoft, Mandiant, and NTT Security.

SAP Security Patches March 2023

In the March SAP Security Patch Day 2023, SAP released 19 (+3 Updates) security corrections, including fixes for its flagship products such as SAP NetWeaver AS for ABAP and ABAP Platform, SAP NetWeaver for Java, and SAP Business Object Business Intelligence Platform.

One of the most critical vulnerabilities resolved in this patch day is the CVSS 9.9 code injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC), addressed by SAP Note 3245526 (listed as CVE-2023-25616). Another critical vulnerability is the improperly handled Access Control in SAP NetWeaver AS Java, which rates a CVSS 9.9 and is resolved by implementing SAP Note 3252433 (listed as CVE-2023-23857). This vulnerability implements a missing authentication check, which allows a threat actor to gain access to the directory of API services. Due to its high likelihood of exploitation, we advise customers to patch this vulnerability as soon as possible.

Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

Another vulnerability fixed with SAP Note 3283438 (listed as CVE-2023-25617) is rated with CVSS 9.6 at Hot News priority, and it is the directory traversal vulnerability in SAPRSBRO Program, which exists in SAP S/4HANA and affects many SAP Versions from 700 all the way up to 757. Customers should prioritize patching this flaw since the effort and complexity of the patch installation is rated low, while the exploitation is likely.

Customers should also combine their patching activity for SAP Note 3294595 (listed as CVE-2023-27269), which fixes another directory traversal vulnerability, but this time in SAP NetWeaver AS for ABAP and ABAP Platform in all versions.

Finally, there are four (4) more SAP Security Patches that resolve vulnerabilities with a High priority rating ranging from 7.2 – 8.8. The SecurityBridge team has reviewed all vulnerabilities, updated the security platform detection signatures, and the cloud backbone.

Here you can learn more about the vulnerability types in the context of SAP. As always, we recommend that customers apply the latest security patches as soon as possible to protect their systems from cyber threats.

Summary by Severity

The March release contains a total of 21 (3 Updates) patches for the following severities:

SeverityNumber
Hot News
6
High
4
Medium
11
NoteDescriptionSeverityCVSS
3289844[CVE-2023-25615] SQL Injection vulnerability in SAP ABAP Platform
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BC-DWB-TOO-TDF
Category: Program error
Medium6,8
3245526[CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC)
Priority: HotNews
Released on: 14.03.2023
Components: BI-BIP-CMC
Category: Program error
Hot News9,9
3283438[CVE-2023-25617] OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server)
Priority: HotNews
Released on: 14.03.2023
Components: BI-BIP-SRV
Category: Program error
Hot News9,0
3302710[CVE-2023-27895] Information Disclosure vulnerability in SAP Authenticator for Android
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BC-IAM-SSO-OTP
Category: Program error
Medium6,1
3296328[CVE-2023-27270] Denial of Service (DoS) in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BC-MID-ICF
Category: Program error
Medium6,5
3294954[CVE-2023-27501] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: Correction with high priority
Released on: 14.03.2023
Components: BC-CTS-TMS
Category: Program error
High8,7
3252433[CVE-2023-23857] Improper Access Control in SAP NetWeaver AS for Java
Priority: HotNews
Released on: 14.03.2023
Components: BC-CST-EQ
Category: Program error
Hot News9,9
3294595[CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: HotNews
Released on: 14.03.2023
Components: BC-CCM-PRN
Category: Program error
Hot News9,6
3296346[CVE-2023-26459] Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: Correction with high priority
Released on: 14.03.2023
Components: BC-MID-ICF
Category: Program error
High7,4
3281484[CVE-2023-26457] Cross-Site Scripting (XSS) vulnerability in SAP Content Server
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BC-SRV-KPR-CS
Category: Program error
Medium6,1
3274920[CVE-2023-0021] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BC-CCM-PRN-PC
Category: Program error
Medium6,1
3302162[CVE-2023-27500] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: HotNews
Released on: 14.03.2023
Components: BC-DOC-RIT
Category: Program error
Hot News9,6
3284550[CVE-2023-26461] XML External Entity (XXE) vulnerability in SAP NetWeaver (SAP Enterprise Portal)
Priority: Correction with medium priority
Released on: 14.03.2023
Components: EP-PIN-PSL
Category: Program error
Medium6,8
3296476[CVE-2023-27893] Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems (ST-PI)
Priority: Correction with high priority
Released on: 14.03.2023
Components: SV-SMG-SDD
Category: Program error
High8,8
3275727[CVE-2023-27498] Memory Corruption vulnerability in SAPOSCOL
Priority: Correction with high priority
Released on: 14.03.2023
Components: BC-CCM-MON-OS
Category: Program error
High7,2
3287120[Multiple CVEs] Multiple vulnerabilities in the SAP BusinessObjects Business Intelligence platform
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BI-BIP-INV
Category: Program error
Medium6,5
3288480[CVE-2023-27268] Improper Access Control in SAP NetWeaver AS Java (Object Analyzing Service)
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BC-JAS-COR-SES
Category: Program error
Medium5,3
3288096[CVE-2023-26460] Improper Access Control in SAP NetWeaver AS Java (Cache Management Service)
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BC-JAS-COR-CSH
Category: Program error
Medium5,3
3288394[CVE-2023-24526] Improper Access Control in SAP NetWeaver AS Java (Classload Service)
Priority: Correction with medium priority
Released on: 14.03.2023
Components: BC-JAS-COR
Category: Program error
Medium5,3
3273480[CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search)
Priority: HotNews
Released on: 13.12.2022
Components: BC-XI-CON-UDS
Category: Program error
Hot News9,9
3274585[CVE-2023-25614] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework)
Priority: Correction with medium priority
Released on: 14.02.2023
Components: BC-BSP
Category: Program error
Medium6,1
SAP security by design
Security-by-design is a principle that emphasizes the need to build security measures into software systems from the start rather than as an afterthought. SAP projects need to embed security conciseness to respect this principle and gain a cyber-resilient application. Thus, they should prioritize security when designing and implementing their SAP systems rather than attempting to bolt on security measures afterward. This can help to prevent security breaches and minimize the damage caused by cyberattacks.
coding
Remote Code Execution (RCE) vulnerability in SAP is a type of security issue that allows an attacker to execute arbitrary code on a target system remotely. has gained control of a user's click, they can execute a range of actions, such as transferring funds, changing user settings, or stealing sensitive data.
Management Dashboard
SAP security provider SecurityBridge—now operating in the U.S.—today announced the latest addition to the SecurityBridge Platform—the Management Dashboard for SAP security. The SAP Management Dashboard is a no-cost, additional application for the existing SecurityBridge Platform that combines all SAP data aspects and presents the information through a customizable, single pane of glass security dashboard view.
Hacker mining SAPsecurity
SAP Cybersecurity- SAP Vulnerability
In recent years, cyberattacks against SAP systems have become more common, with attackers gaining network access and then exploring critical applications through port scanning and script-based exploration. Two examples of such attacks that use the SAP RFC SDK are the password lock attack and the password spray attack. In this article, we will outline how to detect these script-based attacks against SAP.