Connect with us

Hi, what are you looking for?



SAP’s First Security Updates for 2023 Resolve Critical Vulnerabilities

SAP this week announced the release of 12 new and updated security notes as part of the January 2023 Security Patch Day, including seven ‘hot news’ notes that address critical-severity vulnerabilities.

SAP this week announced the release of 12 new and updated security notes as part of the January 2023 Security Patch Day, including seven ‘hot news’ notes that address critical-severity vulnerabilities.

Four of the security notes rated ‘hot news’ – the highest severity rating in SAP’s books – are fresh notes addressing vulnerabilities in Business Planning and Consolidation MS, BusinessObjects, and NetWeaver, while the remaining three are updates to notes released in November and December 2022.

The most severe of the new notes resolve an SQL injection bug in Business Planning and Consolidation MS (CVE-2023-0016, CVSS score of 9.9), and a code injection flaw in the BusinessObjects Business Intelligence platform (CVE-2023-0022, CVSS score of 9.9).

According to enterprise security firm Onapsis, the first of these issues can be exploited to execute crafted database queries in the vulnerable application, allowing an attacker to read, modify, or delete arbitrary data.

The code injection vulnerability can be exploited over the network, with an impact on application confidentiality, integrity, and availability.

“The note contains a patch and a workaround for those customers who can’t provide this patch immediately. However, this workaround can only be used as a temporary solution as it removes, stops or disables the affected service,” Onapsis explains.

The remaining new ‘hot news’ notes resolve an improper access control bug in NetWeaver AS for Java (CVE-2023-0017, CVSS score of 9.4) and a capture-replay vulnerability in the NetWeaver AS for ABAP and ABAP platform (CVE-2023-0014, CVSS score of 9.0).

By exploiting the first issue, an unauthenticated attacker could access and modify user data and make system services unavailable.

Advertisement. Scroll to continue reading.

The capture-replay bug impacts the architecture of trusted-trusting RFC and HTTP communication, allowing attackers to obtain unauthorized access to an SAP system.

Mitigating the vulnerability, Onapsis says, could prove challenging, as it involves applying “a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations”.

SAP also updated three ‘hot news’ notes addressing an insecure deserialization of untrusted data flaw in BusinessObjects (CVE-2022-41203) and two improper access control issues in NetWeaver (CVE-2022-4127 and CVE-2022-41271).

The five remaining notes released on SAP’s January Security Patch Day address medium-severity vulnerabilities in Host Agent (Windows), NetWeaver, BusinessObjects, and Bank Account Management (Manage Banks).

Related: SAP’s December 2022 Security Updates Patch Critical Vulnerabilities

Related: SAP Patches Critical Vulnerabilities in BusinessObjects, SAPUI5

Related: SAP Patches Critical Vulnerabilities in Commerce, Manufacturing Execution Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

More People On The Move

Expert Insights