- 68/2023
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple products.
This month’s patch fixes several vulnerabilities affecting multiple SAP products SAP Business Objects Business Intelligence Platform (CMC), SAP NetWeaver, SAP NetWeaver AS for Java, SAP NetWeaver Application Server for ABAP and ABAP Platform, SAP Business Objects (Adaptive Job Server), SAP Solution Manager and ABAP managed systems (ST-PI), SAP Host Agent, SAP NetWeaver (SAP Enterprise Portal), SAP BusinessObjects Business Intelligence Platform (WebServices), SAP Content Server.
The attacker could exploit some of these vulnerabilities to gain access, execute arbitrary commands, cause a denial of service attack, or obtain sensitive information from the affected system.
Sample of the addressed vulnerabilities:
1. Code Injection Vulnerability in SAP Business Objects Business Intelligence Platform (CMC) (CVE-2023-25616):
• CVSS: 9.9
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: Gain Access
2. Improper Access Control in SAP NetWeaver AS for Java (CVE-2023-23857):
• CVSS: 9.9
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Gain Access
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.