SAP this week announced the release of 12 new and updated security notes as part of the January 2023 Security Patch Day, including seven ‘hot news’ notes that address critical-severity vulnerabilities.
Four of the security notes rated ‘hot news’ – the highest severity rating in SAP’s books – are fresh notes addressing vulnerabilities in Business Planning and Consolidation MS, BusinessObjects, and NetWeaver, while the remaining three are updates to notes released in November and December 2022.
The most severe of the new notes resolve an SQL injection bug in Business Planning and Consolidation MS (CVE-2023-0016, CVSS score of 9.9), and a code injection flaw in the BusinessObjects Business Intelligence platform (CVE-2023-0022, CVSS score of 9.9).
According to enterprise security firm Onapsis, the first of these issues can be exploited to execute crafted database queries in the vulnerable application, allowing an attacker to read, modify, or delete arbitrary data.
The code injection vulnerability can be exploited over the network, with an impact on application confidentiality, integrity, and availability.
“The note contains a patch and a workaround for those customers who can’t provide this patch immediately. However, this workaround can only be used as a temporary solution as it removes, stops or disables the affected service,” Onapsis explains.
The remaining new ‘hot news’ notes resolve an improper access control bug in NetWeaver AS for Java (CVE-2023-0017, CVSS score of 9.4) and a capture-replay vulnerability in the NetWeaver AS for ABAP and ABAP platform (CVE-2023-0014, CVSS score of 9.0).
By exploiting the first issue, an unauthenticated attacker could access and modify user data and make system services unavailable.
The capture-replay bug impacts the architecture of trusted-trusting RFC and HTTP communication, allowing attackers to obtain unauthorized access to an SAP system.
Mitigating the vulnerability, Onapsis says, could prove challenging, as it involves applying “a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations”.
SAP also updated three ‘hot news’ notes addressing an insecure deserialization of untrusted data flaw in BusinessObjects (CVE-2022-41203) and two improper access control issues in NetWeaver (CVE-2022-4127 and CVE-2022-41271).
The five remaining notes released on SAP’s January Security Patch Day address medium-severity vulnerabilities in Host Agent (Windows), NetWeaver, BusinessObjects, and Bank Account Management (Manage Banks).