Software vendor SAP has released security updates for 19 vulnerabilities, five of which are classified as critical, meaning administrators need to apply them as soon as possible to mitigate the associated risks.
The bugs fixed this month affect many products, but the critical severity bugs affect SAP Business Objects Business Intelligence Platform (CMC) and SAP NetWeaver.
More specifically, the five defects fixed this time are as follows:
- CVE-2023-25616: Severity critical code injection vulnerability (CVSS v3: 9.9) in SAP Business Intelligence Platform, which allows an attacker to access resources that are only available to privileged users. The flaw affects versions 420 and 430.
- CVE-2023-23857: Disclosure of Critical Severity Information (CVSS v3: 9.8), Data Tampering and DoS Fault affecting SAP NetWeaver AS for Java, version 7.50. The bug allows an unauthenticated attacker to perform unauthorized operations by connecting to an open interface and accessing services via the Directory API.
- CVE-2023-27269: Critical severity directory traversal issue (CVSS v3: 9.6) affecting SAP NetWeaver Application Server for ABAP. The flaw allows a non-administrator user to overwrite system files. It affects versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757 and 791.
- CVE-2023-27500: Critical Severity Directory Traversal (CVSS v3: 9.6) in SAP NetWeaver AS for ABAP. An attacker can exploit the flaw in SAPRSBRO to overwrite system files, causing damage to the vulnerable endpoint. Impacts versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757.
- CVE-2023-25617: Severity Critical command execution vulnerability (CVSS v3: 9.0) in SAP Business Objects Business Intelligence Platform, versions 420 and 430. The flaw allows a remote attacker to execute arbitrary commands in the operating system via the BI Launchpad, the BI Launchpad, the central administration or a custom configuration. application based on the public Java SDK, under certain conditions.
Apart from the above, SAP’s monthly security patch fixed four high severity flaws and ten medium severity vulnerabilities.
Security flaws in SAP products are excellent targets for threat actors because they are commonly used by large organizations around the world and can serve as entry points into extremely valuable systems.
SAP is the world’s largest ERP provider, holding 24% of the global market share with 425,000 customers in 180 countries. More than 90% of Forbes Global 2000 use its ERP, SCM, PLM and CRM products.
In February 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) urged administrators to patch a set of serious vulnerabilities affecting SAP business applications to prevent data theft, hacking attacks, ransomware and the disruption of mission-critical processes and operations.
In April 2021, threat actors were observed attacking fixed flaws in unpatched SAP systems to gain access to corporate networks.