German enterprise software maker SAP announced the release of 19 new notes on its March 2023 Security Patch Day, including five major news notes.
Notes rated ‘important news’, the highest rating in the SAP playbook, resolve critical vulnerabilities affecting Business Objects, NetWeaver, ERP and S4HANA.
Two of the biggest news stories address security flaws in Business Objects Business Intelligence Platform.
The most serious of these is CVE-2023-25616, a code injection flaw in the Central Management Console (CMC), followed by CVE-2023-25617, an operating system command injection in Adaptive Job Server.
Next in line are two hot news stories addressing bugs in NetWeaver. The first is CVE-2023-23857, an inadequate access control issue in the lockdown service that could allow an attacker to “connect to an open interface and make use of an open naming and directory API to access services.” “.
According to enterprise application security firm Onapsis, the attacker can abuse these services to perform unauthorized operations.
The second issue is CVE-2023-27269, a path traversal bug “caused by the RSPOXTAB include program allowing access to files that are not mapped to a logical file name on the system,” Onapsis explains.
The fifth topical news story addresses CVE-2023-27500, a directory traversal vulnerability in the SAPRSBRO program in ERP and S4HANA. By disabling the program, SAP no longer allows “non-administrative authorizations to overwrite arbitrary critical operating system files.”
This month’s SAP security updates also include four notes that resolve high-severity flaws affecting Solution Manager and ABAP Managed Systems (ST-PI), NetWeaver AS for ABAP and ABAP Platform, and the SAPOSCOL application.
Successful exploitation of these issues could allow attackers to execute code remotely, delete arbitrary files at the operating system level to make the system unavailable, cause a denial of service (DoS) condition, and trigger a corruption error. memory to read technical information about the server.
All remaining new notes released in SAP’s March 2023 Security Patch Day resolve medium severity vulnerabilities.
Related: High severity vulnerabilities in the SAP February 2023 security update patch
Related: SAP’s first security updates for 2023 resolve critical vulnerabilities
Related: Critical vulnerabilities in the SAP December 2022 security update patch
