SAP Fixes Multiple Critical Vulnerabilities on March 2023 Patch Day
SAP has recently fixed 19 vulnerabilities as part of its March 2023 patch day. Five vulnerabilities are rated critical and have also been labeled “hot news” by the vendor.
The critical vulnerabilities affect several versions of the following products:
- SAP Business Objects Business Intelligence Platform (CMC)
- SAP NetWeaver AS for Java
- SAP NetWeaver Application Server for ABAP and ABAP Platform
- SAP NetWeaver AS for ABAP and ABAP Platform (SAPRSBRO Program)
- SAP Business Objects (Adaptive Job Server)
How Do SAP Vulnerabilities Affect?
The critical vulnerabilities addressed by the patch and specifics of affected product versions are detailed below:
CVE-2023-25616(CVSS score: 9.9): A critical code injection vulnerability in SAP Business Intelligence Platform (versions 420 and 430) that enables attackers to access resources only available to privileged users. A successful attack could impact the confidentiality, integrity, and availability of the system.
CVE-2023-23857(CVSS score: 9.8) An unauthenticated attacker can exploit a vulnerability in SAP NetWeaver AS for Java, version 7.50, allowing them to perform unauthorized operations across systems. The attacker can access services via directory API, potentially reading and modifying sensitive information and making the system unresponsive or unavailable.
CVE-2023-27269(CVSS score: 9.6) A critical directory traversal problem in SAP NetWeaver Application Server for ABAP (versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, and 791) that allows non-admin users to overwrite system files. During this attack, it is not possible to read any data, but the attacker can potentially overwrite critical operating system files. This could result in the system becoming unavailable.
CVE-2023-27500(CVSS score: 9.6) A critical directory traversal flaw in SAP NetWeaver AS for ABAP (versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757). An attacker can take advantage of the flaw in the program SAPRSBRO to overwrite critical system files and make the system unavailable.
CVE-2023-25617(CVSS score: 9.0): SAP Business Object (Adaptive Job Server) versions 420 and 430 have this vulnerability that allows remote, authenticated users with scheduling rights to execute arbitrary commands on Unix systems if program objects execution is enabled. The vulnerability can be exploited through the BI Launchpad, Central Management Console, or a custom application based on the public Java SDK. Successful exploitation could impact the system’s confidentiality, integrity, and availability.
Refer to SAP’s official documentation for more information.
Manage Patches with SOCRadar
With its advanced scanning capabilities, SOCRadar XTI can identify potential threats in your network and provide comprehensive insights into the associated risks. This information allows prioritizing patches based on a vulnerability’s potential impact, ensuring that critical vulnerabilities are addressed first and reducing the time and effort needed to remediate vulnerabilities.
SOCRadar’s Vulnerability Intelligence is also essential for understanding emerging vulnerabilities or finding important updates about previous ones.