- 04/2023
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple products. In addition, SAP also announced (3) updates to the previously released patch day security notes.
This month’s patch fixes several vulnerabilities affecting multiple SAP products such as SAP BPC MS 10.0, SAP BusinessObjects Business Intelligence platform, SAP NetWeaver Process Integration, SAP NetWeaver AS for Java, SAP NetWeaver ABAP Server and ABAP Platform, SAP Host Agent, and SAP Bank Account Management.
The remote attacker could exploit some of these vulnerabilities to take control of the affected system.
Sample of the addressed vulnerabilities:
1. SQL Injection Vulnerability in SAP Business Planning and Consolidation MS (CVE-2023-0016):
• CVSS: 9.9
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: Gain Access
2. Code Injection Vulnerability in SAP BusinessObjects Business Intelligence Platform (CVE-2023-0022):
• CVSS: 9.9
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: Gain Access
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.