- 42/2023
- High
SAP has released security updates to address several vulnerabilities affecting multiple products. In addition, SAP also announced (5) updates to the previously released patch day security notes.
This month’s patch fixes several vulnerabilities affecting multiple SAP products such as SAP BPC MS 10.0, SAP BusinessObjects Business Intelligence platform, SAP NetWeaver Process Integration, SAP NetWeaver AS for Java, SAP NetWeaver ABAP Server and ABAP Platform, SAP Host Agent, and SAP Bank Account Management.
The attacker could exploit some of these vulnerabilities to escalate the privileges or obtain sensitive information from the affected system.
Sample of the addressed vulnerabilities:
1. Privilege Escalation Vulnerability in SAP Start Service (CVE-2023-24523):
• CVSS: 8.8
• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: Gain Privilege
2. Information disclosure Vulnerability in SAP BusinessObjects Business Intelligence Platform (CVE-2023-0020):
• CVSS: 8.5
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: Obtain Information
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.