Software maker SAP has released security updates for 19 vulnerabilities, five of which are classified as critical, meaning administrators should apply them as soon as possible to mitigate the associated risks.
The faults corrected this month affect many products, but critical-severity bugs affect SAP Business Objects Business Intelligence (CMC) platform and SAP NetWeaver.
More specifically, the five flaws fixed this time are as follows:
- CVE-2023-25616: Critical severity code injection vulnerability (CVSS v3: 9.9) in SAP Business Intelligence platform, allowing an attacker to access resources only available to privileged users. The flaw impacts versions 420 and 430.
- CVE-2023-23857: Critical Severity Information Disclosure (CVSS v3: 9.8), Data Manipulation and DoS Vulnerability affecting SAP NetWeaver AS for Java, version 7.50. The bug allows an unauthenticated attacker to perform unauthorized operations by logging into an open interface and accessing services through the Directory API.
- CVE-2023-27269: Critical severity directory traversal issue (CVSS v3: 9.6) affecting SAP NetWeaver Application Server for ABAP. The flaw allows a non-administrator user to overwrite system files. It affects versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757 and 791.
- CVE-2023-27500: Critical severity directory traversal (CVSS v3: 9.6) in SAP NetWeaver AS for ABAP. An attacker can exploit the SAPRSBRO flaw to overwrite system files, causing damage to the vulnerable endpoint. Impacts versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757.
- CVE-2023-25617: Critical Severity Command Execution Vulnerability (CVSS v3: 9.0) in SAP Business Objects Business Intelligence Platform, versions 420 and 430. The flaw allows a remote attacker to execute arbitrary commands on the operating system at the BI Launchpad, Central Management Console, or public java SDK-based application under certain conditions.
In addition to the above, SAP’s monthly security patch fixed four high-severity flaws and ten medium-severity vulnerabilities.
Security vulnerabilities in SAP products are excellent targets for threat actors, as they are commonly used by large organizations around the world and can serve as entry points to extremely valuable systems.
SAP is the largest ERP vendor in the world, holding 24% of the global market with 425,000 customers in 180 countries. More than 90% of the Forbes Global 2000 uses its ERP, SCM, PLM and CRM products.
In February 2022, the United States Cybersecurity and Infrastructure Security Agency (CISA) urged administrators to patch a set of severe vulnerabilities affecting SAP business applications to prevent data theft, ransomware attacks, and disruption of critical processes and operations.
In April 2021, threat actors were observed tackle fixed flaws in unpatched SAP systems to access corporate networks.