Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Releases Five ‘Hot News’ Notes on March 2023 Patch Day

SAP has released 19 new notes on March 2023 Security Patch Day, including five notes rated hot news.

German enterprise software maker SAP announced the release of 19 new notes on its March 2023 Security Patch Day, including five hot news notes.

The notes rated ‘hot news’ – the highest rating in SAP’s playbook – resolve critical vulnerabilities impacting Business Objects, NetWeaver, ERP and S4HANA.

Two of the hot news notes address security defects in the Business Objects Business Intelligence Platform.

The most severe of these is CVE-2023-25616, a code injection flaw in the Central Management Console (CMC), followed by CVE-2023-25617, an OS command injection in Adaptive Job Server.

Next in line are two hot news notes addressing flaws in NetWeaver. The first is CVE-2023-23857, an improper access control issue in the Locking Service that could allow an attacker to “attach to an open interface and make use of an open naming and directory API to access services”.

According to enterprise application security firm Onapsis, the attacker can abuse these services to perform unauthorized operations.

The second issue is CVE-2023-27269, a path traversal bug “caused by the include program RSPOXTAB that allows access to files that are not assigned to a logical file name in the system”, Onapsis explains.

The fifth hot news note addresses CVE-2023-27500, a directory traversal vulnerability in the SAPRSBRO program in ERP and S4HANA. By disabling the program, SAP no longer allows “non-administrative authorizations to overwrite arbitrary critical OS files”.

Advertisement. Scroll to continue reading.

This month’s SAP security updates also include four notes that resolve high-severity flaws impacting Solution Manager and ABAP managed systems (ST-PI), NetWeaver AS for ABAP and ABAP Platform, and the SAPOSCOL application.

Successful exploitation of these issues could allow attackers to execute code remotely, delete arbitrary files at the OS level to make the system unavailable, cause a denial-of-service (DoS) condition, and trigger a memory corruption bug to read technical information about the server.

All the remaining new notes released on SAP’s March 2023 Security Patch Day resolve medium-severity vulnerabilities.

Related: SAP’s February 2023 Security Updates Patch High-Severity Vulnerabilities

Related: SAP’s First Security Updates for 2023 Resolve Critical Vulnerabilities

Related: SAP’s December 2022 Security Updates Patch Critical Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.