On March 14th, SAP released its latest Security Patch Day, an important date for customers of the leading enterprise application provider from Germany, Walldorf, who are concerned about cybersecurity. Detecting missing patches within complex environments can be challenging, but many security-aware SAP customers use intelligent tools to help them. Often, false positives cause significant troubles and waste efforts. Fortunately, SecurityBridge Patch Management for SAP provides a solution that boasts the highest accuracy in the industry.
March 2023 Security Patch Day shines because of the publication of five (5) critical corrections ranging between CVSS 9.0 and 9.9. You can find the full list here. Although the CVSS rating provided by the vendor -SAP- is often doubted by threat intelligence providers, who also correlate field experience such as whether an exploitation script/POC exists or if the vulnerability has been used during active infiltration, this information is helpful for customers to prioritize their patching efforts. Some of the leading providers for Threat Intelligence include Microsoft, Mandiant, and NTT Security.
SAP Security Patches March 2023
In the March SAP Security Patch Day 2023, SAP released 19 (+3 Updates) security corrections, including fixes for its flagship products such as SAP NetWeaver AS for ABAP and ABAP Platform, SAP NetWeaver for Java, and SAP Business Object Business Intelligence Platform.
One of the most critical vulnerabilities resolved in this patch day is the CVSS 9.9 code injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC), addressed by SAP Note 3245526 (listed as CVE-2023-25616). Another critical vulnerability is the improperly handled Access Control in SAP NetWeaver AS Java, which rates a CVSS 9.9 and is resolved by implementing SAP Note 3252433 (listed as CVE-2023-23857). This vulnerability implements a missing authentication check, which allows a threat actor to gain access to the directory of API services. Due to its high likelihood of exploitation, we advise customers to patch this vulnerability as soon as possible.
Another vulnerability fixed with SAP Note 3283438 (listed as CVE-2023-25617) is rated with CVSS 9.6 at Hot News priority, and it is the directory traversal vulnerability in SAPRSBRO Program, which exists in SAP S/4HANA and affects many SAP Versions from 700 all the way up to 757. Customers should prioritize patching this flaw since the effort and complexity of the patch installation is rated low, while the exploitation is likely.
Customers should also combine their patching activity for SAP Note 3294595 (listed as CVE-2023-27269), which fixes another directory traversal vulnerability, but this time in SAP NetWeaver AS for ABAP and ABAP Platform in all versions.
Finally, there are four (4) more SAP Security Patches that resolve vulnerabilities with a High priority rating ranging from 7.2 – 8.8. The SecurityBridge team has reviewed all vulnerabilities, updated the security platform detection signatures, and the cloud backbone.
Here you can learn more about the vulnerability types in the context of SAP. As always, we recommend that customers apply the latest security patches as soon as possible to protect their systems from cyber threats.
Summary by Severity
The March release contains a total of 21 (3 Updates) patches for the following severities: