- 322/2023
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple products.
SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products such as SAP Business Client, SAP ECC and SAP S/4HANA (IS-OIL), SAP Commerce Cloud, Business Objects BI Platform SAP GUI for Windows and SAP GUI for Java, SAP BusinessObjects Web Intelligence, SAP Solution Manager, SAP Biller Direct, SAP HCM, SAPUI5, SAP Fiori Launchpad, SAP Master Data Governance, SAP Cloud Connector, SAP NetWeaver Application Server ABAP and ABAP Platform.
The attacker could exploit some of these vulnerabilities to bypass security restrictions, obtain sensitive information, launch SQL injection attacks, perform cross-site scripting, or conduct denial of service attacks, or execute arbitrary commands and gain access to the affected products.
Sample of the addressed vulnerabilities:
1. SAP Business Technology Platform (BTP) Security Services Integration Libraries Privilege Escalation (CVE-2023-49583):
- CVSS: 9.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Privileges
2. SAP Commerce Cloud Security Bypass Vulnerability (CVE-2023-42481):
- CVSS: 8.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Bypass Security
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.