On April 11th, SAP released its latest Security Patch Day following the Easter break. This day is crucial for businesses that rely on SAP software and are concerned about cybersecurity. In this article, we will take a closer look at four HotNews patches that have been released or updated. HotNews patches are the most critical patches that SAP releases. They address vulnerabilities that could potentially lead to a high-risk security breach. Therefore, it is essential that businesses prioritize and apply these patches promptly to minimize the risk of an attack.
SAP Security Patches April 2023
On April 11th, 2023, SAP released its latest Security Patch Day, which included 21 new security corrections and two updates. Among the fixes were patches for a directory traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform.
It is worth noting that one Security Note has been marked with the category “Consulting”. This means that it does not directly address a security vulnerability but rather provides guidance and recommendations for businesses to improve their overall security posture. Additionally, SAP Business Object Business Intelligence Platform was once again a focus of the Security Patch Day, with several patches released to address various vulnerabilities. Lets look into the highlights.
One of the critical patches released during the April 11th, 2023 SAP Security Patch Day was 3294595, which addressed a Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform. This patch had a HotNews priority rating by SAP, indicating its high severity. The vulnerability, identified by the CVE-2023-27269 identifier, had a CVSS score of 9.6, which was carried over from the initial release of the patch in March. However, the April update contained a reworked solution description that provided a workaround for those who were unable to implement the suggested support package immediately.
Another troublesome patch released during the April 11th, 2023 SAP Security Patch Day is SNote 3305369, which addresses multiple vulnerabilities in SAP Diagnostics Agent. This patch is crucial for businesses using the SAP Solution Manager system landscape, as the Diagnostics Agent is a central component.
The patch fixes multiple vulnerabilities that could lead to Remote Code Execution (RCE) through the OSCommand Bridge and EventLogServiceCollector. Our experts strongly recommend that businesses prioritize this patch, as the LogService and OSCommand Bridge vulnerabilities could be exploited by attackers to gain unauthorized access to systems.
SAP has released another security fix, patch 3298961, for SAP BusinessObjects Business Intelligence Platform. This patch addresses the CVE-2023-28765 vulnerability, which involves information disclosure in the Promotion Management feature. Customers affected by this vulnerability should update the patch level to resolve the issue.
Additionally, there is a vulnerability related to the IP filter in ABAP Platform and SAP Web Dispatcher. Due to erroneous IP netmask handling, this vulnerability could enable access to backend applications from unwanted sources. While successful exploitation of this vulnerability could cause limited impact on the confidentiality of the application, it still requires consulting.
For further information about this vulnerability, customers can refer to patch 3315312, which addresses the CVE-2023-29108 IP filter vulnerability in ABAP Platform and SAP Web Dispatcher. To learn more about securing the SAP Web Dispatcher and ICM, please refer to the following article: SECURING YOUR SAP INTERNET COMMUNICATION MANAGER (ICM).
Summary by Severity
The April release contains a total of 21 patches for the following severities: