Connect with us

Hi, what are you looking for?



SAP’s First Security Updates for 2023 Resolve Critical Vulnerabilities

SAP this week announced the release of 12 new and updated security notes as part of the January 2023 Security Patch Day, including seven ‘hot news’ notes that address critical-severity vulnerabilities.

SAP this week announced the release of 12 new and updated security notes as part of the January 2023 Security Patch Day, including seven ‘hot news’ notes that address critical-severity vulnerabilities.

Four of the security notes rated ‘hot news’ – the highest severity rating in SAP’s books – are fresh notes addressing vulnerabilities in Business Planning and Consolidation MS, BusinessObjects, and NetWeaver, while the remaining three are updates to notes released in November and December 2022.

The most severe of the new notes resolve an SQL injection bug in Business Planning and Consolidation MS (CVE-2023-0016, CVSS score of 9.9), and a code injection flaw in the BusinessObjects Business Intelligence platform (CVE-2023-0022, CVSS score of 9.9).

According to enterprise security firm Onapsis, the first of these issues can be exploited to execute crafted database queries in the vulnerable application, allowing an attacker to read, modify, or delete arbitrary data.

The code injection vulnerability can be exploited over the network, with an impact on application confidentiality, integrity, and availability.

“The note contains a patch and a workaround for those customers who can’t provide this patch immediately. However, this workaround can only be used as a temporary solution as it removes, stops or disables the affected service,” Onapsis explains.

The remaining new ‘hot news’ notes resolve an improper access control bug in NetWeaver AS for Java (CVE-2023-0017, CVSS score of 9.4) and a capture-replay vulnerability in the NetWeaver AS for ABAP and ABAP platform (CVE-2023-0014, CVSS score of 9.0).

By exploiting the first issue, an unauthenticated attacker could access and modify user data and make system services unavailable.

Advertisement. Scroll to continue reading.

The capture-replay bug impacts the architecture of trusted-trusting RFC and HTTP communication, allowing attackers to obtain unauthorized access to an SAP system.

Mitigating the vulnerability, Onapsis says, could prove challenging, as it involves applying “a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations”.

SAP also updated three ‘hot news’ notes addressing an insecure deserialization of untrusted data flaw in BusinessObjects (CVE-2022-41203) and two improper access control issues in NetWeaver (CVE-2022-4127 and CVE-2022-41271).

The five remaining notes released on SAP’s January Security Patch Day address medium-severity vulnerabilities in Host Agent (Windows), NetWeaver, BusinessObjects, and Bank Account Management (Manage Banks).

Related: SAP’s December 2022 Security Updates Patch Critical Vulnerabilities

Related: SAP Patches Critical Vulnerabilities in BusinessObjects, SAPUI5

Related: SAP Patches Critical Vulnerabilities in Commerce, Manufacturing Execution Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

UK cybersecurity agency NCSC announced Richard Horne as its new CEO.

Bill Dunnion has joined telecommunications giant Mitel as CISO.

Cybersecurity firm Forcepoint has appointed Naveen Palavalli as CMO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.