SAP Security Notes - February 2023 - Safe O'Clock

SAP Security Notes – February 2023

February 14, 2023

On the 14th of February 2023, SAP Security Patch Day saw the release of 21 new Security Notes.

There were 5 updates to previously released Patch Day Security Notes.

Notes by severity

HotNews 1
Correction with high priority 5
Correction with medium priority 20
Correction with low priority 0

Highlights

On February Patch Day SAP presents 6 high-severity Notes with 1 of them rated as HotNews and 5 of them rated as a correction with high priority.

21 is a comparatively large number of Security Notes for one Patch Day, however, we will cover the corrections with the highest priority as a digest for today.

Starting with 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client – with a CVSS Score of 10. The update of the Note contains additional SAP Business Client Releases to the Solution section.

SAP Host Agent received a patch listed in Note 3285757Privilege Escalation vulnerability in SAP Host Agent (Start Service) – with a CVSS Score of 8.8 and rated as high priority correction. An attacker can send a specially crafted web service request with an operating system command that will be executed with administrator privileges by authenticating as a non-admin user and gaining local access to a server port designated for the SAP Host Agent Service. The OS command has the ability to disable the system and read, alter, or delete any user or system data.

The Note 3268172 released on December 2022 – Code Injection vulnerability in SAP BASIS – with a CVSS Score of 8.8, receives an update. The Note has been re-released with updated ‘Correction instruction’ and ‘Symptom’ information. Additionally, it was mentioned that this Note is still relevant even if you do not use a HANA DB on your system.

SAP BusinessObjects Business Intelligence Platform received two Security patches. The first to describe will be Note 3263135Information disclosure vulnerability in SAP BusinessObjects Business Intelligence platform – with a CVSS Score of 8.5. An authenticated attacker has access to sensitive information that is otherwise protected due to the Business Intelligence platform vulnerability. Successful exploitation could have a significant impact on confidentiality while having only a limited impact on the application’s integrity. The second Note is 3256787Unrestricted Upload of File in SAP BusinessObjects Business Intelligence Platform (CMC) – with a CVSS Score of 8.4. An authenticated admin user may upload malicious code to Business Intelligence Platform so that it may be executed by the application via the network.

The last Note to highlight will be the update of 3271091 Note – Privilege escalation vulnerability in SAP Business Planning and Consolidation – with a CVSS Score of 8.5. The changes made were generally minor, and none of them requires additional customer actions.

Summary

SAP Component Number Title CVSS Score Priority CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client 10,0 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-CCM-HAG 3285757 [CVE-2023-24523] Privilege Escalation vulnerability in SAP Host Agent (Start Service) 8,8 Correction with high priority CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-DB-HDB-POR 3268172 [CVE-2022-41264] Code Injection vulnerability in SAP BASIS 8,8 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
BI-BIP-INV 3263135 [CVE-2023-0020] Information disclosure vulnerability in SAP BusinessObjects Business Intelligence platform 8,5 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
EPM-BPC-NW 3271091 [CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation 8,5 Correction with high priority CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
BI-BIP-CMC 3256787 [CVE-2023-24530] Unrestricted Upload of File in SAP BusinessObjects Business Intelligence Platform (CMC) 8,4 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
SV-SMG-SVD-SWB 3265846 [CVE-2023-0024] Cross Site Scripting in SAP Solution Manager (BSP Application) 6,5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
SV-SMG-SVD-SWB 3267442 [CVE-2023-0025] Cross Site Scripting in SAP Solution Manager (BSP Application) 6,5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
SV-SMG-OP 3270509 [CVE-2023-23855] URL Redirection vulnerability in SAP Solution Manager 6,5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
GRC-SPC-AC 3281724 [CVE-2023-0019] Missing Authorization check in SAP GRC (Process Control) 6,5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
FI-TV-ODT-MTR 3290901 [CVE-2023-24528] Missing Authorization Check in SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) 6,5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CA-GTF-CSC-DME 2985905 [CVE-2023-24524] Missing Authorization check in SAP S/4 HANA Map Treasury Correspondence Format Data 6,5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SV-SMG-MON-SYS 3266751 [CVE-2023-23852] Cross-Site Scripting (XSS) vulnerability in SAP Solution Manager 7.2 6,1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-MID-AC 3268959 [Multiple CVEs] Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform 6,1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-MID-ICF 3271227 [CVE-2023-23853] URL Redirection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform 6,1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CA-GTF-PCF 3282663 [CVE-2023-24529] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages application) 6,1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-ABA-LA 3293786 [CVE-2023-23858] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform 6,1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-JAS-WEB 3262544 [CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service) 6,1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-BSP 3274585 [CVE-2023-25614] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework) 6,1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-BSP 3269151 [CVE-2023-24521] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework) 6,1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-BSP 3269118 [CVE-2023-24522] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework) 6,1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-ABA-LA 3283283 [CVE-2023-0013] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform 6,1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPM-BPC-NW-INF 3275841 [CVE-2023-23851] Unrestricted File Upload in SAP Business Planning and Consolidation 5,4 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
BI-RA-WBI-FE 3263863 [CVE-2023-23856] Cross-Site Scripting (XSS) vulnerability in Web Intelligence Interface 4,3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CA-WUI-UI-TAG 2788178 [CVE-2023-24525] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI 4,3 Correction with medium priority CVSS:/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
BC-DWB-TOO-ABA 3287291 [CVE-2023-23854] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform 3,8 Correction with low priority CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

 

You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK