SAP’s April patch day brings security notes and thus software updates to close 19 vulnerabilities in the products from Walldorf. The developers classify two of the gaps as critical (“Hot News”). According to SAP, another vulnerability represents a high risk, while 13 have a medium and three a low threat level. The developers have updated five older security notes with newer information.
SAP: Critical vulnerabilities
One of the critical vulnerabilities is found in the SAP Diagnostics Agent. Due to a lack of authentication and input filtering, the EventLogServiceCollector an attacker to run malicious scripts on all connected Windows diagnostics agents. If successfully exploited, attackers can completely compromise the confidentiality, integrity, and availability of the system (CVE-2023-27497, CVSS 10.0Risk “critical“).
Attackers can also access information in SAP BusinessObjects Business Intelligence Platform access. Specifically, users with simple rights can access the lcmbiar– Obtain the file and further decrypt the file. This allows them to gain access to the SAP Business Intelligence user’s passwords and, depending on the user’s privileges, perform operations that can completely compromise the application (CVE-2023-28765, CVSS 9.8, critical).
The SAP developers regard a directory traversal gap as a high risk SAP Netweaver, which allow attackers to upload and overwrite files on the SAP server. Although no data could be read, if attackers from the network have administrative rights, they can overwrite critical operating system files and thus paralyze it (CVE-2023-29186, CVSS 8.7, hoch).
Further gaps can be found in SAP Landscape Management, SapSetup, SAP Netweaver Enterprise Portal, SAP Netweaver AS for ABAP and ABAP Platform, SAP GUI for HTML, SAP CRM, SAP CRM WebClient UI, SAP NetWeaver AS Java for Deploy Service, SAP NetWeaver AS for ABAP (Business Server Pages), ABAP Platform and SAP Web Dispatcher, SAP Commerce, SAP Application Interface Framework as well as SAP HCM Fiori App My Forms.
more details links to SAP in the patch day overview. IT managers can find more information there in the SAP Launchpad and can download and apply the updates in the ways they are familiar with. Since some of the vulnerabilities have been classified as critical and high-risk, administrators should not take too much time with them.
In March of this year, SAP also patched 19 vulnerabilities. However, the manufacturer considered five of these to be critical security risks.
(dmk)
