SAP Security Notes - March 2023 - Safe O'Clock

SAP Security Notes – March 2023

March 14, 2023

On the 14th of March 2023, SAP Security Patch Day saw the release of 19 new Security Notes.

There were no updates to previously released Patch Day Security Notes.

Notes by severity

HotNews 5
Correction with high priority 4
Correction with medium priority 10
Correction with low priority 0

Highlights

On March Patch Day SAP presents 9 high-severity Notes with 5 of them rated as HotNews and 4 of them rated as a correction with high priority.

We will describe the corrections with the highest priority as a digest for today.

Starting with the 2 Notes released for SAP Business Objects Business Intelligence Platform security.
Note 3245526Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) – with a CVSS Score of 9.9, is dedicated to certain circumstances, the execution of a SAP BOBJ BI Program Object can result in a code injection vulnerability, which could give an attacker access to resources that are permitted by elevated privileges. A successful attack could have a significant adverse effect on the system’s availability, confidentiality, and integrity.
The second Note 3283438OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server) – with a CVSS Score of 9.0. The SAP BOBJ BI Adaptive Job Server allows an authenticated attacker to run arbitrary commands over the network as a result of wrongly escaped parameters in Unix. The attacker can entirely compromise the application if the exploitation is effective.

SAP NetWeaver AS for ABAP receives 4 Notes for this month. We will sort them in the order of severity.

The first will be Note 3294595Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform – with a CVSS Score of 9.6. An attacker with non-administrative permissions on SAP NetWeaver AS for ABAP and ABAP Platform is able to use a directory traversal vulnerability in a working service to overwrite the system files. No data can be read in this assault, but possibly crucial OS files can be changed, rendering the system data unusable.
The second is Note 3302162Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform – with a CVSS Score of 9.6. A directory traversal bug in the application SAPRSBRO allows an attacker with non-administrative permissions to overwrite system files. No data can be read in this assault, but possibly crucial OS files can be changed, so the systems could become unavailable.
The third is Note 3294954Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform – with a CVSS Score of 8.7. An attacker might be able to delete system files using SAP NW ABAP and ABAP Platform if user-provided path information is not adequately validated. This vulnerability results in directory traversal. No data can be read in this assault, but possibly crucial OS files can be erased.
The last set of NetWeaver vulnerabilities to describe will be 3296346Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform – with a CVSS Score of 7.4. This Note contains the information necessary to mitigate such attacks as Server Side Request Forgery (SSRF), Denial of Service (DoS) and Cross Site Port Attacks on NW systems.

For SAP NetWeaver AS for Java security, the Note 3252433 was released. 3252433Improper Access Control in SAP NetWeaver AS for Java – with a CVSS Score of 9.9, containing the information about missing authentication check in SAP NetWeaver AS for Java. It allows an unauthenticated attacker to attach to a public interface and utilize a public naming and directory API to access services that can be used to carry out illegal activities on users and services across systems. If the attack is successful, the attacker can read and change certain sensitive data but also lock up any system function or component.

The Note 3296476Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems (ST-PI) – with a CVSS Score of 8.8. A susceptible interface can be used by an attacker to execute an application function and carry out operations that they would not typically be allowed to do if they had been authenticated as a user with a non-administrative role and common remote execution permission. The attacker can read or modify any user or application data and make the application unavailable, which will have an impact on the ABAP-managed systems and SAP Solution Manager system, depending on the function that is executed.

The last Note to describe will be Note 3275727Memory Corruption vulnerability in SAPOSCOL – with a CVSS Score of 7.2. A crafted request that causes a memory corruption issue may be submitted by an unauthenticated attacker with network access to a server port designated for the SAP Start Service using SAPOSCOL. The server’s technical information can be revealed but not changed using this error. Moreover, it can make a specific service momentarily inaccessible.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
BI-BIP-CMC 3245526 [CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-CST-EQ 3252433 [CVE-2023-23857] Improper Access Control in SAP NetWeaver AS for Java HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
BC-CCM-PRN 3294595 [CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform HotNews 9.6 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
BC-DOC-RIT 3302162 [CVE-2023-27500] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform HotNews 9.6 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
BI-BIP-SRV 3283438 [CVE-2023-25617] OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server) HotNews 9.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
SV-SMG-SDD 3296476 [CVE-2023-27893] Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems (ST-PI) high 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
BC-CTS-TMS 3294954 [CVE-2023-27501] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform high 8.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
BC-MID-ICF 3296346 [CVE-2023-26459] Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform high 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
BC-CCM-MON-OS 3275727 [CVE-2023-27498] Memory Corruption vulnerability in SAPOSCOL high 7.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
EP-PIN-PSL 3284550 [CVE-2023-26461] XML External Entity (XXE) vulnerability in SAP NetWeaver (SAP Enterprise Portal) medium 6.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
BC-DWB-TOO-TDF 3289844 [CVE-2023-25615] SQL Injection vulnerability in SAP ABAP Platform medium 6.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
BC-MID-ICF 3296328 [CVE-2023-27270] Denial of Service (DoS) in SAP NetWeaver AS for ABAP and ABAP Platform medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
BI-BIP-INV 3287120 [Multiple CVEs] Multiple vulnerabilities in the SAP BusinessObjects Business Intelligence platform medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
BC-SRV-KPR-CS 3281484 [CVE-2023-26457] Cross-Site Scripting (XSS) vulnerability in SAP Content Server medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-IAM-SSO-OTP 3302710 [CVE-2023-27895] Information Disclosure vulnerability in SAP Authenticator for Android medium 6.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
BC-CCM-PRN-PC 3274920 [CVE-2023-0021] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-JAS-COR-SES 3288480 [CVE-2023-27268] Improper Access Control in SAP NetWeaver AS Java (Object Analyzing Service) medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
BC-JAS-COR-CSH 3288096 [CVE-2023-26460] Improper Access Control in SAP NetWeaver AS Java (Cache Management Service) medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
BC-JAS-COR 3288394 [CVE-2023-24526] Improper Access Control in SAP NetWeaver AS Java (Classload Service) medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for February 2024

SAP strengthens AI growth areas  In recent years, artificial intelligence has rightfully begun to gain increasing popularity among developers – […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK