Skip to content
Linkedin Twitter Facebook Xing
< Back to Overview

SAP Security Patch Day – January 2023

SAP security Patch day

As we start the New Year, it is important for organizations to make sure that their systems are secure and up-to-date with the latest security patches. On January 10th, 2023, the SAP Response Team released several security patches as part of the monthly SAP Security Patch Day to address various vulnerabilities in their products. In this article, we will highlight the most important patches released and the potential risks they address to help you make informed decisions about applying these updates to your systems. We would like to extend our warmest Happy New Year greetings to all our SAP customers, and remind them of the importance of keeping their systems secure and up-to-date to protect against potential cyber-attacks.

SAP Security Patches December 2022

On January 10, 2023, SAP released several security patches for their products as part of the monthly SAP Security Patch Day. The following HotNews patches were released:

  • SNote 3262810, titled “Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP)”, addresses a vulnerability with a CVSS score of 9.9. SAP BusinessObjects Business Intelligence platform, especially the OLAP Analysis edition is made to for analysis and visualization of large amounts of data, identify trends and patterns, and make informed business decisions. Depending on the sensitivity of data processed by the application, the patch should be installed timely.

  • SNote 3268093, titled “Improper access control in SAP NetWeaver AS for Java”, addresses a vulnerability with a CVSS score of 9.4. An attacker who is not authorized to access a system can exploit an unsecured interface and use a directory application programming interface (API) that is open to the public to access services on the system. This can lead to unauthorized actions that may have an impact on the users and data of the system. The attacker can potentially gain full read access to users’ data, change users’ data and block certain services of the system. Since this HotNews vulnerability resides within the flagship product of SAP, many customers may be impacted.

  • SNote 3089413, titled “Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform”, addresses a vulnerability with a CVSS score of 9.0. A Capture-replay vulnerability is a type of vulnerability that allows an attacker to intercept and record communications between a user and a system, and then replay that recorded communication at a later time. The attacker can use this recorded communication to impersonate the user and gain unauthorized access to the system or perform unauthorized actions. Since this HotNews vulnerability resides within the flagship product of SAP, many customers may be impacted. 

  • SNote 3275391, titled “SQL Injection vulnerability in SAP Business Planning and Consolidation MS”, addresses a vulnerability with a CVSS score of 9.9. SAP Business Planning and Consolidation (BPC) MS is a software solution offered by SAP that enables organizations to plan, budget, forecast, and consolidate their financial and operational data. It is designed to provide a single, integrated platform for financial consolidation, planning, and forecasting, using both financial and operational data. BPC MS uses a multidimensional database, allowing users to access and analyze data across multiple dimensions, and perform complex calculations with ease. It allows companies to integrate financial and operational data, providing a comprehensive view of performance, and to model various scenarios, to identify the best course of action. BPC MS can integrate with other SAP systems, such as SAP ECC, SAP S/4HANA, and SAP BW, to provide a complete picture of the organization’s financial and operational performance. 
    Due to the severity of this vulnerability and given the possibility of integration with the core SAP environments our experts recommend to implement the patch with priority.

  • SNote 3243924, titled “Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad)”, addresses a vulnerability with a CVSS score of 9.9 and was first released on November 8, 2022. Insecure Deserialization of Untrusted Data is a vulnerability that occurs when an application deserializes data that is not properly validated and authenticated, leading to unintended execution of code, potentially leading to a wide range of security risks.  Depending on the sensitivity of data processed by the application, the patch should be installed timely.

It is important to timely patch enterprise critical SAP applications for several reasons. Cyberattacks are becoming increasingly sophisticated and frequent, and timely patching is essential to ensure that known vulnerabilities are addressed, and systems are protected against potential attacks.

Also, many organizations are subject to various regulations and standards that require them to keep their systems up-to-date with security patches, such as GDPR, PCI-DSS, HIPAA, and SOX.

Furthermore, enterprise critical SAP applications are vital to the day-to-day operations of the business, and patching ensures that they continue to operate smoothly and without interruption.

Do not forget about, unpatched systems are more susceptible to data breaches and loss of sensitive information, timely patching helps to prevent data loss and maintain the confidentiality, integrity, and availability of data.

In summary, timely patching of enterprise critical SAP applications is critical to maintain the security, integrity and availability of the application and the data they hold, and to ensure the business continuity and compliance with the regulations.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Request a Demo

Summary by Severity

The January release contains a total of 10 patches for the following severities:

SeverityNumber
Hot News
5
High
0
Medium
5
NoteDescriptionSeverityCVSS
3262810[CVE-2023-0022] Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP)
Priority: HotNews
Released on: 10.01.2023
Components: BI-RA-AWB
Category: Program error		Hot News9,9
3150704[CVE-2023-0023] Information Disclosure in SAP Bank Account Management (Manage Banks)
Priority: Correction with medium priority
Released on: 10.01.2023
Components: FIN-FSCM-CLM-BAM
Category: Program error		Medium4,5
3283283[CVE-2023-0013] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 10.01.2023
Components: BC-ABA-LA
Category: Program error		Medium6,1
3268093[CVE-2023-0017] Improper access control in SAP NetWeaver AS for Java
Priority: HotNews
Released on: 10.01.2023
Components: BC-MID-CON-JCO
Category: Program error		Hot News9,4
3266006[CVE-2023-0018] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console)
Priority: Correction with medium priority
Released on: 10.01.2023
Components: BI-RA-CR
Category: Program error		Medium5,4
3089413[CVE-2023-0014] Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
Priority: HotNews
Released on: 10.01.2023
Components: BC-MID-RFC
Category: Program error		Hot News9,0
3275391[CVE-2023-0016] SQL Injection vulnerability in SAP Business Planning and Consolidation MS
Priority: HotNews
Released on: 10.01.2023
Components: EPM-BPC-MS
Category: Program error		Hot News9,9
3251447[CVE-2023-0015] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (Web Intelligence)
Priority: Correction with medium priority
Released on: 10.01.2023
Components: BI-RA-WBI-FE
Category: Program error		Medium4,6
3276120[CVE-2023-0012] Local Privilege Escalation in SAP Host Agent (Windows)
Priority: Correction with medium priority
Released on: 10.01.2023
Components: BC-CCM-HAG
Category: Program error		Medium6,4
3243924[CVE-2022-41203] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad)
Priority: HotNews
Released on: 08.11.2022
Components: BI-RA-WBI-FE
Category: Program error		Hot News9,9

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
View Advisory for Dec'22
White Paper - Bridging the Gap How SecurityBridge Supports NIST CSF in SAP Environments
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.
Security Automation Webinar

Security Automation: The Need for a Last Line of Defense

Join our upcoming webinar session on Security Automation with special guests from SecurityBridge and discover how you can automate your SAP security and compliance processes to improve your security posture and implement a last line of defence for your mission-critical SAP landscape.
Learn more
Senior SAP Developer Singapore

Senior SAP Developer (ABAP/4 and SAPUI5 Fiori) – Singapore

Careers
As a Senior SAP Developer, you will be responsible for designing, developing, and maintaining SAP solutions while leading and guiding a team of developers. You will play a crucial role in the development of standard products, and your technical expertise and communication skills will be instrumental in ensuring the success of our projects. This role demands strong leadership, technical acumen, and the ability to collaborate effectively in an international development team.

Countering Data Breaches – An Urgent Call for Action

SAP Cybersecurity
Earlier this year, IBM presented its 18th edition of ‘The Cost of a Data Breach Report’ (you can find it here). This publication provides detailed and valuable insights into various factors related to data breaches. It is based on research carried out at 553 impacted organizations - any IT security professional should check it out. In this article, we will highlight some of this report’s findings and bring them into the context of SAP security.
We're hiring a financial controller/analyst

Financial Controller

Careers
As a Controller/Financial Analyst at SecurityBridge, you will play a crucial role in managing and optimizing financial processes, ensuring accurate reporting, and providing strategic financial insights. This is an exciting opportunity for a detail-oriented professional to contribute to the financial success of the fastest-growing cybersecurity provider for SAP systems.