SAP’s March 2023 Security Updates Patch 5 Critical-Severity Vulnerabilities

CVE-2023-25616

German enterprise software maker SAP has released 19 new security notes on its March 2023 Security Patch Day, including five ‘hot news’ notes dealing with critical vulnerabilities.

One of the critical vulnerabilities is CVE-2023-25616 (CVSS score of 9.9), a code injection vulnerability in SAP Business
Objects Business Intelligence Platform (CMC) affecting versions 420, and 430. Program Object execution can lead to code injection vulnerability which could allow an attacker to gain access to resources that are allowed by extra privileges.

The second critical security hole, identified as CVE-2023-23857 (CVSS score of 9.9), has been described as improper access control in SAP NetWeaver AS for Java. The issue allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services that can be used to perform unauthorized operations affecting users and services across systems. On successful exploitation, the attacker can read and modify some sensitive information but can also be used to lock up any element or operation of the system making it unresponsive or unavailable.

The third critical vulnerability, CVE-2023-27269 (CVSS score of 9.6), is a directory traversal vulnerability in SAP NetWeaver
AS for ABAP and ABAP Platform. The flaw allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files.

The fourth critical vulnerability, CVE-2023-27500 (CVSS score of 9.6), is also a directory traversal vulnerability in SAP ERP and S4HANA (SAPRSBRO Program).

The fifth critical vulnerability, CVE-2023-25617 (CVSS score of 9.0) is an OS command execution vulnerability in SAP
Business Objects Business Intelligence Platform (Adaptive Job Server). The bug allows remote execution of arbitrary commands on Unix, when program objects execution is enabled, to authenticated users with scheduling rights, using the BI Launchpad, Central Management Console, or a custom application based on the public java SDK.

The high-severity vulnerabilities patched by SAP include a directory traversal vulnerability flaw in SAP NetWeaver AS for ABAP and ABAP Platform, a Server-Side Request Forgery (SSRF) issue in SAP NetWeaver AS for ABAP and ABAP Platform, and a memory corruption vulnerability in SAPOSCOL.

The remaining eleven security notes that SAP announced this week deal with medium-severity improper access control, missing authentication and authorization check, cross-Site scripting (XSS), information disclosure, denial of service (DoS), XXE, and SQL injection vulnerabilities in ABAP Platform, SAP NetWeaver, SAP NetWeaver AS for ABAP and ABAP Platform, SAP BusinessObjects Business Intelligence platform, SAP Content Server, SAP Authenticator for Android, SAP NetWeaver, SAP NetWeaver AS Java, and SAP NetWeaver AS for Java.