Security Experts:

Connect with us

Hi, what are you looking for?



SAP’s First Security Updates for 2023 Resolve Critical Vulnerabilities

SAP this week announced the release of 12 new and updated security notes as part of the January 2023 Security Patch Day, including seven ‘hot news’ notes that address critical-severity vulnerabilities.

SAP this week announced the release of 12 new and updated security notes as part of the January 2023 Security Patch Day, including seven ‘hot news’ notes that address critical-severity vulnerabilities.

Four of the security notes rated ‘hot news’ – the highest severity rating in SAP’s books – are fresh notes addressing vulnerabilities in Business Planning and Consolidation MS, BusinessObjects, and NetWeaver, while the remaining three are updates to notes released in November and December 2022.

The most severe of the new notes resolve an SQL injection bug in Business Planning and Consolidation MS (CVE-2023-0016, CVSS score of 9.9), and a code injection flaw in the BusinessObjects Business Intelligence platform (CVE-2023-0022, CVSS score of 9.9).

According to enterprise security firm Onapsis, the first of these issues can be exploited to execute crafted database queries in the vulnerable application, allowing an attacker to read, modify, or delete arbitrary data.

The code injection vulnerability can be exploited over the network, with an impact on application confidentiality, integrity, and availability.

“The note contains a patch and a workaround for those customers who can’t provide this patch immediately. However, this workaround can only be used as a temporary solution as it removes, stops or disables the affected service,” Onapsis explains.

The remaining new ‘hot news’ notes resolve an improper access control bug in NetWeaver AS for Java (CVE-2023-0017, CVSS score of 9.4) and a capture-replay vulnerability in the NetWeaver AS for ABAP and ABAP platform (CVE-2023-0014, CVSS score of 9.0).

By exploiting the first issue, an unauthenticated attacker could access and modify user data and make system services unavailable.

The capture-replay bug impacts the architecture of trusted-trusting RFC and HTTP communication, allowing attackers to obtain unauthorized access to an SAP system.

Mitigating the vulnerability, Onapsis says, could prove challenging, as it involves applying “a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations”.

SAP also updated three ‘hot news’ notes addressing an insecure deserialization of untrusted data flaw in BusinessObjects (CVE-2022-41203) and two improper access control issues in NetWeaver (CVE-2022-4127 and CVE-2022-41271).

The five remaining notes released on SAP’s January Security Patch Day address medium-severity vulnerabilities in Host Agent (Windows), NetWeaver, BusinessObjects, and Bank Account Management (Manage Banks).

Related: SAP’s December 2022 Security Updates Patch Critical Vulnerabilities

Related: SAP Patches Critical Vulnerabilities in BusinessObjects, SAPUI5

Related: SAP Patches Critical Vulnerabilities in Commerce, Manufacturing Execution Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.