On the 14th of March 2023, SAP Security Patch Day saw the release of 19 new Security Notes.
There were no updates to previously released Patch Day Security Notes.
Notes by severity
| HotNews | 5 |
| Correction with high priority | 4 |
| Correction with medium priority | 10 |
| Correction with low priority | 0 |
Highlights
On March Patch Day SAP presents 9 high-severity Notes with 5 of them rated as HotNews and 4 of them rated as a correction with high priority.
We will describe the corrections with the highest priority as a digest for today.
Starting with the 2 Notes released for SAP Business Objects Business Intelligence Platform security.
Note 3245526 – Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) – with a CVSS Score of 9.9, is dedicated to certain circumstances, the execution of a SAP BOBJ BI Program Object can result in a code injection vulnerability, which could give an attacker access to resources that are permitted by elevated privileges. A successful attack could have a significant adverse effect on the system’s availability, confidentiality, and integrity.
The second Note 3283438 – OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server) – with a CVSS Score of 9.0. The SAP BOBJ BI Adaptive Job Server allows an authenticated attacker to run arbitrary commands over the network as a result of wrongly escaped parameters in Unix. The attacker can entirely compromise the application if the exploitation is effective.
SAP NetWeaver AS for ABAP receives 4 Notes for this month. We will sort them in the order of severity.
The first will be Note 3294595 – Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform – with a CVSS Score of 9.6. An attacker with non-administrative permissions on SAP NetWeaver AS for ABAP and ABAP Platform is able to use a directory traversal vulnerability in a working service to overwrite the system files. No data can be read in this assault, but possibly crucial OS files can be changed, rendering the system data unusable.
The second is Note 3302162 – Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform – with a CVSS Score of 9.6. A directory traversal bug in the application SAPRSBRO allows an attacker with non-administrative permissions to overwrite system files. No data can be read in this assault, but possibly crucial OS files can be changed, so the systems could become unavailable.
The third is Note 3294954 – Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform – with a CVSS Score of 8.7. An attacker might be able to delete system files using SAP NW ABAP and ABAP Platform if user-provided path information is not adequately validated. This vulnerability results in directory traversal. No data can be read in this assault, but possibly crucial OS files can be erased.
The last set of NetWeaver vulnerabilities to describe will be 3296346 – Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform – with a CVSS Score of 7.4. This Note contains the information necessary to mitigate such attacks as Server Side Request Forgery (SSRF), Denial of Service (DoS) and Cross Site Port Attacks on NW systems.
For SAP NetWeaver AS for Java security, the Note 3252433 was released. 3252433 – Improper Access Control in SAP NetWeaver AS for Java – with a CVSS Score of 9.9, containing the information about missing authentication check in SAP NetWeaver AS for Java. It allows an unauthenticated attacker to attach to a public interface and utilize a public naming and directory API to access services that can be used to carry out illegal activities on users and services across systems. If the attack is successful, the attacker can read and change certain sensitive data but also lock up any system function or component.
The Note 3296476 – Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems (ST-PI) – with a CVSS Score of 8.8. A susceptible interface can be used by an attacker to execute an application function and carry out operations that they would not typically be allowed to do if they had been authenticated as a user with a non-administrative role and common remote execution permission. The attacker can read or modify any user or application data and make the application unavailable, which will have an impact on the ABAP-managed systems and SAP Solution Manager system, depending on the function that is executed.
The last Note to describe will be Note 3275727 – Memory Corruption vulnerability in SAPOSCOL – with a CVSS Score of 7.2. A crafted request that causes a memory corruption issue may be submitted by an unauthenticated attacker with network access to a server port designated for the SAP Start Service using SAPOSCOL. The server’s technical information can be revealed but not changed using this error. Moreover, it can make a specific service momentarily inaccessible.
Summary
| SAP Component | Number | Title | CVSS Score | Priority | CVSS Vector |
| BI-BIP-CMC | 3245526 | [CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) | 9.9 | HotNews | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| BC-CST-EQ | 3252433 | [CVE-2023-23857] Improper Access Control in SAP NetWeaver AS for Java | 9.9 | HotNews | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H |
| BC-CCM-PRN | 3294595 | [CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform | 9.6 | HotNews | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H |
| BC-DOC-RIT | 3302162 | [CVE-2023-27500] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform | 9.6 | HotNews | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H |
| BI-BIP-SRV | 3283438 | [CVE-2023-25617] OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server) | 9.0 | HotNews | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
| SV-SMG-SDD | 3296476 | [CVE-2023-27893] Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems (ST-PI) | 8.8 | Correction with high priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| BC-CTS-TMS | 3294954 | [CVE-2023-27501] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform | 8.7 | Correction with high priority | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H |
| BC-MID-ICF | 3296346 | [CVE-2023-26459] Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform | 7.4 | Correction with high priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L |
| BC-CCM-MON-OS | 3275727 | [CVE-2023-27498] Memory Corruption vulnerability in SAPOSCOL | 7.2 | Correction with high priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L |
| EP-PIN-PSL | 3284550 | [CVE-2023-26461] XML External Entity (XXE) vulnerability in SAP NetWeaver (SAP Enterprise Portal) | 6.8 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
| BC-DWB-TOO-TDF | 3289844 | [CVE-2023-25615] SQL Injection vulnerability in SAP ABAP Platform | 6.8 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
| BC-MID-ICF | 3296328 | [CVE-2023-27270] Denial of Service (DoS) in SAP NetWeaver AS for ABAP and ABAP Platform | 6.5 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| BI-BIP-INV | 3287120 | [Multiple CVEs] Multiple vulnerabilities in the SAP BusinessObjects Business Intelligence platform | 6.5 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| BC-SRV-KPR-CS | 3281484 | [CVE-2023-26457] Cross-Site Scripting (XSS) vulnerability in SAP Content Server | 6.1 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| BC-IAM-SSO-OTP | 3302710 | [CVE-2023-27895] Information Disclosure vulnerability in SAP Authenticator for Android | 6.1 | Correction with medium priority | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N |
| BC-CCM-PRN-PC | 3274920 | [CVE-2023-0021] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver | 6.1 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| BC-JAS-COR-SES | 3288480 | [CVE-2023-27268] Improper Access Control in SAP NetWeaver AS Java (Object Analyzing Service) | 5.3 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| BC-JAS-COR-CSH | 3288096 | [CVE-2023-26460] Improper Access Control in SAP NetWeaver AS Java (Cache Management Service) | 5.3 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| BC-JAS-COR | 3288394 | [CVE-2023-24526] Improper Access Control in SAP NetWeaver AS Java (Classload Service) | 5.3 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
