- 85/2023
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple products.
This month’s patch fixes several vulnerabilities affecting multiple SAP products such as SAP Diagnostics Agent, SAP Business Client, SAP NetWeaver Process Integration, SAP BusinessObjects Business Intelligence Platform (Promotion Management, SAP NetWeaver Application Server for ABAP and ABAP Platform, SAP NetWeaver (BI CONT ADDON), SAP NetWeaver Enterprise Portal, SAP GUI for HTML, SAP CRM, SAP Web Dispatcher and Internet, SAP NetWeaver AS Java, SAP Commerce, and SAP Application Interface Framework.
The attacker could exploit some of these vulnerabilities to gain access, execute arbitrary commands, obtain sensitive information, cause cross-site scripting, or denial of service attacks.
Sample of the addressed vulnerabilities:
1. SAP Diagnostics Agent Code Execution Vulnerability (CVE-2023-27497):
- CVSS: 10
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. SAP BusinessObjects Business Intelligence Platform Information Disclosure Vulnerability (CVE-2023-28765):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Obtain Information
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.
SAP Security Patch Day April 2023