SAP releases security updates fixing five critical vulnerabilities

Software vendor SAP has released security updates for 19 vulnerabilities, five rated as critical, meaning that administrators should apply them as soon as possible to mitigate the associated risks.

The flaws fixed this month impact many products, but the critical severity bugs affect SAP Business Objects Business Intelligence Platform (CMC) and SAP NetWeaver.

More specifically, the five flaws fixed this time are the following:

CVE-2023-25616: Critical severity (CVSS v3: 9.9) code injection vulnerability in SAP Business Intelligence Platform, allowing an attacker to access resources only available to privileged users. The flaw impacts versions 420 and 430. CVE-2023-23857: Critical severity (CVSS v3: 9.8) information disclosure, data manipulation, and DoS flaw impacting SAP NetWeaver AS for Java, version 7.50. The bug allows an unauthenticated attacker to perform unauthorized operations by attaching to an open interface and accessing services via the directory API. CVE-2023-27269: Critical severity (CVSS v3: 9.6) directory traversal problem impacting SAP NetWeaver Application Server for ABAP. The flaw allows a non-admin user to overwrite system files. It affects versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, and 791. CVE-2023-27500: Critical severity (CVSS v3: 9.6) directory traversal in SAP NetWeaver AS for ABAP. An attacker can exploit the flaw in SAPRSBRO to overwrite system files, causing damage to the vulnerable endpoint. Impacts versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757. CVE-2023-25617: Critical severity (CVSS v3: 9.0) command execution vulnerability in SAP Business Objects Business Intelligence Platform, versions 420 and 430. The flaw allows a remote attacker to execute arbitrary commands on the OS using the BI Launchpad, Central Management Console, or a custom application based on the public java SDK, under certain conditions.

Apart from the above, SAP's monthly security patch fixed four high-severity flaws and and ten medium-severity vulnerabilities.

Patch now

Security flaws in SAP products are excellent targets for threat actors because they are commonly used by large organizations worldwide and can serve as entry points to extremely valuable systems.

SAP is the largest ERP vendor in the world, having 24% of the global market share with 425,000 customers in 180 countries. Over 90% of the Forbes Global 2000 uses its ERP, SCM, PLM, and CRM products.

In February 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) urged admins to patch a set of severe vulnerabilities impacting SAP business apps to prevent data theft, ransomware attacks, and disruption of mission-critical processes and operations.

In April 2021, threat actors were observed attacking fixed flaws in unpatched SAP systems to gain access to corporate networks.