German enterprise software maker SAP announced the release of 19 new notes on its March 2023 Security Patch Day, including five hot news notes.
The notes rated ‘hot news’ – the highest rating in SAP’s playbook – resolve critical vulnerabilities impacting Business Objects, NetWeaver, ERP and S4HANA.
Two of the hot news notes address security defects in the Business Objects Business Intelligence Platform.
The most severe of these is CVE-2023-25616, a code injection flaw in the Central Management Console (CMC), followed by CVE-2023-25617, an OS command injection in Adaptive Job Server.
Next in line are two hot news notes addressing flaws in NetWeaver. The first is CVE-2023-23857, an improper access control issue in the Locking Service that could allow an attacker to “attach to an open interface and make use of an open naming and directory API to access services”.
According to enterprise application security firm Onapsis, the attacker can abuse these services to perform unauthorized operations.
The second issue is CVE-2023-27269, a path traversal bug “caused by the include program RSPOXTAB that allows access to files that are not assigned to a logical file name in the system”, Onapsis explains.
The fifth hot news note addresses CVE-2023-27500, a directory traversal vulnerability in the SAPRSBRO program in ERP and S4HANA. By disabling the program, SAP no longer allows “non-administrative authorizations to overwrite arbitrary critical OS files”.
This month’s SAP security updates also include four notes that resolve high-severity flaws impacting Solution Manager and ABAP managed systems (ST-PI), NetWeaver AS for ABAP and ABAP Platform, and the SAPOSCOL application.
Successful exploitation of these issues could allow attackers to execute code remotely, delete arbitrary files at the OS level to make the system unavailable, cause a denial-of-service (DoS) condition, and trigger a memory corruption bug to read technical information about the server.
All the remaining new notes released on SAP’s March 2023 Security Patch Day resolve medium-severity vulnerabilities.
Related: SAP’s February 2023 Security Updates Patch High-Severity Vulnerabilities
Related: SAP’s First Security Updates for 2023 Resolve Critical Vulnerabilities
Related: SAP’s December 2022 Security Updates Patch Critical Vulnerabilities