CVE-2023-27497 & CVE-2023-28765: Critical flaws affect SAP products
German enterprise software maker SAP has released 19 new security notes on its April 2023 Security Patch Day, including five ‘hot news’ notes dealing with critical vulnerabilities (2 new flaws: CVE-2023-27497 & CVE-2023-28765, and 3 updates).
With a CVSS score of 10, the most severe of SAP’s security notes updates a note released on April 2018 Patch Day, which deals with software updates for the Chrome-based browser in SAP Business Client.
The second security note (CVSS score of 9.9) that SAP marked as hot news resolves an improper access control in the SAP NetWeaver Process Integration.
The third security note (CVSS score of 9.6) that the company marked as hot news resolves a directory traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform.
The most severe of these is CVE-2023-27497 (CVSS score of 10), a flaw in the SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector). Due to missing authentication and input sanitization of code the EventLogServiceCollector of SAP Diagnostics Agent – version 720, allows an attacker to execute malicious scripts on all connected Diagnostics Agents running on Windows. On successful exploitation, the attacker can completely compromise the confidentiality, integrity, and availability of the system.
The last hot news note that SAP released this month deals with an information disclosure vulnerability in SAP
BusinessObjects Business Intelligence Platform (Promotion Management ) (CVE-2023-28765, CVSS score of 9.8). An attacker with basic privileges in SAP BusinessObjects Business Intelligence Platform (Promotion Management) – versions 420, and 430, can get access to the lcmbiar file and further decrypt the file. After this attacker can gain access to the BI user’s passwords and depending on the privileges of the BI user, the attacker can perform operations that can completely compromise the application.
This month, SAP also announced the release of a high-priority security note that resolves a vulnerability in SAP NetWeaver.
The remaining eleven security notes that SAP announced this week deal with medium-severity and low-severity vulnerabilities.