SAP Security Notes - January 2023 - Safe O'Clock

SAP Security Notes – January 2023

January 10, 2023

On the 10th of January 2023, SAP Security Patch Day saw the release of 9 new Security Notes.

There was 3 update to previously released Patch Day Security Notes.

Notes by severity

HotNews 7
Correction with high priority 0
Correction with medium priority 5
Correction with low priority 0

Highlights

On January Patch Day SAP presents 7 high-severity Notes with all of them rated as HotNews.

Starting with SAP BusinessObjects Security Notes we should talk about the HotNews release of 3262810 Note – Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP) – with a CVSS Score of 9.9. Intelligence Analysis edition for OLAP security could be compromised by injecting a malicious code remotely executed by the application. Presented support packages and patches that could be applied to mitigate the security issue. 3243924 Security Note with CVSS Score of 9.9 – Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad) – was re-released from November 2022 Patch Day with new solution steps for SAP BusinessObjects security.

3266006 and 3251447 Security Notes with medium priority both should also be considered to apply for SAP BusinessObjects.

For SAP Business Planning and Consolidation MS security the 3275391 Note was released – SQL Injection vulnerability in SAP Business Planning and Consolidation MS. This Note has a CVSS Score of 9.9, so it is also needed to be reviewed. Crafted database queries could be executed by the potential attacker. Backend data could be at risk of being modified or deleted. However, the solution steps are pretty simple to apply.

SAP NetWeaver AS for Java and ABAP receive several Security Notes. 3268093 Note – Improper access control in SAP NetWeaver AS for Java – with a CVSS Score of 9.4 tells us about the vulnerability of system data and users. Open naming and directory API could be exploited to read, modify data or make it unavailable. 3267780 Note – Improper access control in SAP NetWeaver AS Java (Messaging System) – with a CVSS Score of 9.4 receives an update of solution steps for the latest releases. 3089413 Note – Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform with a CVSS Score of 9.0 describes the possibility of obtaining illegitimate access to the target system if the system identification hash is not unique. The solution is applicable after certain precautions.

Summary

SAP Component Number Title CVSS Score Priority CVSS Vector
BI-RA-AWB 3262810 [CVE-2023-0022] Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP) 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPM-BPC-MS 3275391 [CVE-2023-0016] SQL Injection vulnerability in SAP Business Planning and Consolidation MS 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BI-RA-WBI-FE 3243924 [CVE-2022-41203] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad) 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-XI-CON-UDS 3273480 [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search) 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
BC-XI-CON-MSG 3267780 [CVE-2022-41271] Improper access control in SAP NetWeaver AS Java (Messaging System) 9.4 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
BC-MID-CON-JCO 3268093 [CVE-2023-0017] Improper access control in SAP NetWeaver AS for Java 9.4 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
BC-MID-RFC 3089413 [CVE-2023-0014] Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform 9.0 HotNews CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-CCM-HAG 3276120 [CVE-2023-0012] Local Privilege Escalation in SAP Host Agent (Windows) 6.4 Correction with medium priority CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
BC-ABA-LA 3283283 [CVE-2023-0013] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform 6.1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BI-RA-CR 3266006 [CVE-2023-0018] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console) 5.4 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
BI-RA-WBI-FE 3251447 [CVE-2023-0015] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (Web Intelligence) 4.6 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
FIN-FSCM-CLM-BAM 3150704 [CVE-2023-0023] Information Disclosure in SAP Bank Account Management (Manage Banks) 4.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

 

 

 

You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK