SAP Security Notes - March 2023 - Safe O'Clock

SAP Security Notes – March 2023

March 14, 2023

On the 14th of March 2023, SAP Security Patch Day saw the release of 19 new Security Notes.

There were no updates to previously released Patch Day Security Notes.

Notes by severity

HotNews 5
Correction with high priority 4
Correction with medium priority 10
Correction with low priority 0

Highlights

On March Patch Day SAP presents 9 high-severity Notes with 5 of them rated as HotNews and 4 of them rated as a correction with high priority.

We will describe the corrections with the highest priority as a digest for today.

Starting with the 2 Notes released for SAP Business Objects Business Intelligence Platform security.
Note 3245526Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) – with a CVSS Score of 9.9, is dedicated to certain circumstances, the execution of a SAP BOBJ BI Program Object can result in a code injection vulnerability, which could give an attacker access to resources that are permitted by elevated privileges. A successful attack could have a significant adverse effect on the system’s availability, confidentiality, and integrity.
The second Note 3283438OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server) – with a CVSS Score of 9.0. The SAP BOBJ BI Adaptive Job Server allows an authenticated attacker to run arbitrary commands over the network as a result of wrongly escaped parameters in Unix. The attacker can entirely compromise the application if the exploitation is effective.

SAP NetWeaver AS for ABAP receives 4 Notes for this month. We will sort them in the order of severity.

The first will be Note 3294595Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform – with a CVSS Score of 9.6. An attacker with non-administrative permissions on SAP NetWeaver AS for ABAP and ABAP Platform is able to use a directory traversal vulnerability in a working service to overwrite the system files. No data can be read in this assault, but possibly crucial OS files can be changed, rendering the system data unusable.
The second is Note 3302162Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform – with a CVSS Score of 9.6. A directory traversal bug in the application SAPRSBRO allows an attacker with non-administrative permissions to overwrite system files. No data can be read in this assault, but possibly crucial OS files can be changed, so the systems could become unavailable.
The third is Note 3294954Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform – with a CVSS Score of 8.7. An attacker might be able to delete system files using SAP NW ABAP and ABAP Platform if user-provided path information is not adequately validated. This vulnerability results in directory traversal. No data can be read in this assault, but possibly crucial OS files can be erased.
The last set of NetWeaver vulnerabilities to describe will be 3296346Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform – with a CVSS Score of 7.4. This Note contains the information necessary to mitigate such attacks as Server Side Request Forgery (SSRF), Denial of Service (DoS) and Cross Site Port Attacks on NW systems.

For SAP NetWeaver AS for Java security, the Note 3252433 was released. 3252433Improper Access Control in SAP NetWeaver AS for Java – with a CVSS Score of 9.9, containing the information about missing authentication check in SAP NetWeaver AS for Java. It allows an unauthenticated attacker to attach to a public interface and utilize a public naming and directory API to access services that can be used to carry out illegal activities on users and services across systems. If the attack is successful, the attacker can read and change certain sensitive data but also lock up any system function or component.

The Note 3296476Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems (ST-PI) – with a CVSS Score of 8.8. A susceptible interface can be used by an attacker to execute an application function and carry out operations that they would not typically be allowed to do if they had been authenticated as a user with a non-administrative role and common remote execution permission. The attacker can read or modify any user or application data and make the application unavailable, which will have an impact on the ABAP-managed systems and SAP Solution Manager system, depending on the function that is executed.

The last Note to describe will be Note 3275727Memory Corruption vulnerability in SAPOSCOL – with a CVSS Score of 7.2. A crafted request that causes a memory corruption issue may be submitted by an unauthenticated attacker with network access to a server port designated for the SAP Start Service using SAPOSCOL. The server’s technical information can be revealed but not changed using this error. Moreover, it can make a specific service momentarily inaccessible.

Summary

SAP Component Number Title CVSS Score Priority CVSS Vector
BI-BIP-CMC 3245526 [CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-CST-EQ 3252433 [CVE-2023-23857] Improper Access Control in SAP NetWeaver AS for Java 9.9 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
BC-CCM-PRN 3294595 [CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform 9.6 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
BC-DOC-RIT 3302162 [CVE-2023-27500] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform 9.6 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
BI-BIP-SRV 3283438 [CVE-2023-25617] OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server) 9.0 HotNews CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
SV-SMG-SDD 3296476 [CVE-2023-27893] Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems (ST-PI) 8.8 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
BC-CTS-TMS 3294954 [CVE-2023-27501] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform 8.7 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
BC-MID-ICF 3296346 [CVE-2023-26459] Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform 7.4 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
BC-CCM-MON-OS 3275727 [CVE-2023-27498] Memory Corruption vulnerability in SAPOSCOL 7.2 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
EP-PIN-PSL 3284550 [CVE-2023-26461] XML External Entity (XXE) vulnerability in SAP NetWeaver (SAP Enterprise Portal) 6.8 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
BC-DWB-TOO-TDF 3289844 [CVE-2023-25615] SQL Injection vulnerability in SAP ABAP Platform 6.8 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
BC-MID-ICF 3296328 [CVE-2023-27270] Denial of Service (DoS) in SAP NetWeaver AS for ABAP and ABAP Platform 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
BI-BIP-INV 3287120 [Multiple CVEs] Multiple vulnerabilities in the SAP BusinessObjects Business Intelligence platform 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
BC-SRV-KPR-CS 3281484 [CVE-2023-26457] Cross-Site Scripting (XSS) vulnerability in SAP Content Server 6.1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-IAM-SSO-OTP 3302710 [CVE-2023-27895] Information Disclosure vulnerability in SAP Authenticator for Android 6.1 Correction with medium priority CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
BC-CCM-PRN-PC 3274920 [CVE-2023-0021] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver 6.1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-JAS-COR-SES 3288480 [CVE-2023-27268] Improper Access Control in SAP NetWeaver AS Java (Object Analyzing Service) 5.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
BC-JAS-COR-CSH 3288096 [CVE-2023-26460] Improper Access Control in SAP NetWeaver AS Java (Cache Management Service) 5.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
BC-JAS-COR 3288394 [CVE-2023-24526] Improper Access Control in SAP NetWeaver AS Java (Classload Service) 5.3 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

 

 

You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK