Skip to content

SAP Security Patch Day – January 2023

SAP security Patch day

As we start the New Year, it is important for organizations to make sure that their systems are secure and up-to-date with the latest security patches. On January 10th, 2023, the SAP Response Team released several security patches as part of the monthly SAP Security Patch Day to address various vulnerabilities in their products. In this article, we will highlight the most important patches released and the potential risks they address to help you make informed decisions about applying these updates to your systems. We would like to extend our warmest Happy New Year greetings to all our SAP customers, and remind them of the importance of keeping their systems secure and up-to-date to protect against potential cyber-attacks.

SAP Security Patches December 2022

On January 10, 2023, SAP released several security patches for their products as part of the monthly SAP Security Patch Day. The following HotNews patches were released:

  • SNote 3262810, titled “Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP)”, addresses a vulnerability with a CVSS score of 9.9. SAP BusinessObjects Business Intelligence platform, especially the OLAP Analysis edition is made to for analysis and visualization of large amounts of data, identify trends and patterns, and make informed business decisions. Depending on the sensitivity of data processed by the application, the patch should be installed timely.

  • SNote 3268093, titled “Improper access control in SAP NetWeaver AS for Java”, addresses a vulnerability with a CVSS score of 9.4. An attacker who is not authorized to access a system can exploit an unsecured interface and use a directory application programming interface (API) that is open to the public to access services on the system. This can lead to unauthorized actions that may have an impact on the users and data of the system. The attacker can potentially gain full read access to users’ data, change users’ data and block certain services of the system. Since this HotNews vulnerability resides within the flagship product of SAP, many customers may be impacted.

  • SNote 3089413, titled “Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform”, addresses a vulnerability with a CVSS score of 9.0. A Capture-replay vulnerability is a type of vulnerability that allows an attacker to intercept and record communications between a user and a system, and then replay that recorded communication at a later time. The attacker can use this recorded communication to impersonate the user and gain unauthorized access to the system or perform unauthorized actions. Since this HotNews vulnerability resides within the flagship product of SAP, many customers may be impacted. 

  • SNote 3275391, titled “SQL Injection vulnerability in SAP Business Planning and Consolidation MS”, addresses a vulnerability with a CVSS score of 9.9. SAP Business Planning and Consolidation (BPC) MS is a software solution offered by SAP that enables organizations to plan, budget, forecast, and consolidate their financial and operational data. It is designed to provide a single, integrated platform for financial consolidation, planning, and forecasting, using both financial and operational data. BPC MS uses a multidimensional database, allowing users to access and analyze data across multiple dimensions, and perform complex calculations with ease. It allows companies to integrate financial and operational data, providing a comprehensive view of performance, and to model various scenarios, to identify the best course of action. BPC MS can integrate with other SAP systems, such as SAP ECC, SAP S/4HANA, and SAP BW, to provide a complete picture of the organization’s financial and operational performance. 
    Due to the severity of this vulnerability and given the possibility of integration with the core SAP environments our experts recommend to implement the patch with priority.

  • SNote 3243924, titled “Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad)”, addresses a vulnerability with a CVSS score of 9.9 and was first released on November 8, 2022. Insecure Deserialization of Untrusted Data is a vulnerability that occurs when an application deserializes data that is not properly validated and authenticated, leading to unintended execution of code, potentially leading to a wide range of security risks.  Depending on the sensitivity of data processed by the application, the patch should be installed timely.

It is important to timely patch enterprise critical SAP applications for several reasons. Cyberattacks are becoming increasingly sophisticated and frequent, and timely patching is essential to ensure that known vulnerabilities are addressed, and systems are protected against potential attacks.

Also, many organizations are subject to various regulations and standards that require them to keep their systems up-to-date with security patches, such as GDPR, PCI-DSS, HIPAA, and SOX.

Furthermore, enterprise critical SAP applications are vital to the day-to-day operations of the business, and patching ensures that they continue to operate smoothly and without interruption.

Do not forget about, unpatched systems are more susceptible to data breaches and loss of sensitive information, timely patching helps to prevent data loss and maintain the confidentiality, integrity, and availability of data.

In summary, timely patching of enterprise critical SAP applications is critical to maintain the security, integrity and availability of the application and the data they hold, and to ensure the business continuity and compliance with the regulations.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The January release contains a total of 10 patches for the following severities:

Severity Number
Hot News
5
High
0
Medium
5
Note Description Severity CVSS
3262810 [CVE-2023-0022] Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP)
Priority: HotNews
Released on: 10.01.2023
Components: BI-RA-AWB
Category: Program error
Hot News 9,9
3150704 [CVE-2023-0023] Information Disclosure in SAP Bank Account Management (Manage Banks)
Priority: Correction with medium priority
Released on: 10.01.2023
Components: FIN-FSCM-CLM-BAM
Category: Program error
Medium 4,5
3283283 [CVE-2023-0013] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 10.01.2023
Components: BC-ABA-LA
Category: Program error
Medium 6,1
3268093 [CVE-2023-0017] Improper access control in SAP NetWeaver AS for Java
Priority: HotNews
Released on: 10.01.2023
Components: BC-MID-CON-JCO
Category: Program error
Hot News 9,4
3266006 [CVE-2023-0018] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console)
Priority: Correction with medium priority
Released on: 10.01.2023
Components: BI-RA-CR
Category: Program error
Medium 5,4
3089413 [CVE-2023-0014] Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: HotNews
Released on: 10.01.2023
Components: BC-MID-RFC
Category: Program error
Hot News 9,0
3275391 [CVE-2023-0016] SQL Injection vulnerability in SAP Business Planning and Consolidation MS
Priority: HotNews
Released on: 10.01.2023
Components: EPM-BPC-MS
Category: Program error
Hot News 9,9
3251447 [CVE-2023-0015] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (Web Intelligence)
Priority: Correction with medium priority
Released on: 10.01.2023
Components: BI-RA-WBI-FE
Category: Program error
Medium 4,6
3276120 [CVE-2023-0012] Local Privilege Escalation in SAP Host Agent (Windows)
Priority: Correction with medium priority
Released on: 10.01.2023
Components: BC-CCM-HAG
Category: Program error
Medium 6,4
3243924 [CVE-2022-41203] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad)
Priority: HotNews
Released on: 08.11.2022
Components: BI-RA-WBI-FE
Category: Program error
Hot News 9,9

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

SAP Security Customer Event 2024 – Hosted by SecurityBridge, Accenture & bowbridge

The premier SAP Security Customer event is back and better than ever. We’re thrilled to invite you to our ‘Secure Together’ event, set against the breathtaking backdrop of the Euromast in Rotterdam, the Netherlands.
hacking
In SAP’s patch round of February 2022, an SAP Security Note was released with a CVSS score of 10/10 named, “Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher”. This particular type of vulnerability is not common in SAP systems and therefore interesting to look at. As patching the SAP kernel executables is often not done promptly, we can expect this vulnerability present in the customer’s systems for quite some time.
code pc
In one of our recent articles, we pointed out the use of Access Control Lists (ACLs) to better manage access control. Below, we will show a practical example of how this can be done for inbound HTTP communication with the ‘Internet Communication Manager’ (ICM) component of an SAP system.
SAP Security Patch Tuesday 2024
For February 2024, 13 new Security Notes have been released and 3 have been updated. Lets look at some highlights, starting with the ‘HowNews’ notes.