Contents:
Software vendor SAP has released security updates to fix 19 vulnerabilities, five of which rated as critical. The patches released this month impact many products of the SAP suite, but the critical severity vulnerabilities affect SAP NetWeaver and SAP Business Objects Business Intelligence Platform (CMC).
What Are the Critical Flaws Patched?
- CVE-2023-25616: this vulnerability affects SAP Business Objects Intelligence Platform (CMC) versions 420 and 430. Program Object execution may result in a code injection vulnerability, which could allow an attacker to access resources that are allowed by extra privileges. A successful attack could have a high impact the confidentiality, integrity, and availability of the system. On the CVSS scale, this vulnerability is rated 9.9 (critical severity).
- CVE-2023-23857: this vulnerability affects SAP NetWeaver AS for Java version 7.50. The flaw allows an unauthenticated attacker to perform unauthorized operations by attaching to an open interface and accessing services via the directory API. A successful exploitation allows the attacker to view and change some sensitive data, but it can also be used to lock up any function or aspect of the system, rendering it unavailable or unresponsive. On the CVSS scale, this vulnerability is rated 9.8 (critical severity).
- CVE-2023-27269: this vulnerability affects SAP NetWeaver Application Server for ABAP and ABAP Platform – versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757 and 791. If successfully exploited, this flaw can allow non-admin users to overwrite system files. On the CVSS scale, this vulnerability is rated 9.6 (critical severity).
- CVE-2023-27500: this vulnerability affects SAP NetWeaver AS for ABAP – versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757. Threat actors can exploit the flaw in SAPRSBRO to overwrite system files and cause damage to the vulnerable endpoint. On the CVSS scale, this vulnerability is rated 9.6 (critical severity).
- CVE-2023-25617: this vulnerability affects SAP Business Object (Adaptive Job Server) – versions 420 and 430. It is a command execution vulnerability which, if successfully exploited, can allow a remote attacker to execute arbitrary commands on the OS by using the BI Launchpad, Central Management Console, or a custom application based on the public java SDK. On the CVSS scale, this vulnerability is rated 9.0 (critical severity).
You can check out all the patches released in the March 2023 edition of SAP Security Patch Day by accessing this link. Microsoft also released their Patch Tuesday issue for the month of March, which you can check out here.
Because SAP products are widely utilized by large organizations worldwide and can operate as entry points to incredibly valuable systems, they make great targets for threat actors.
SAP is the largest ERP vendor in the world, with a market share of 24% and a number of 425,000 customers in 180 countries. Over 90% of the Forbes Global 2000 uses SAP’s ERP, SCM, PLM, and CRM products.
How Can Heimdal® Help Your Company’s Patch Management?
Your company’s patch management strategy can prove to be crucial in stopping potential attackers from breaching into your systems. But based on the number of machines, applications and operating systems running in your company, the patch management process can prove to be difficult to patch manually.
Heimdal®’s Patch & Asset Management is a fully automated patching solution that allows you to deploy patches on-the-fly, from anywhere in the world, whenever you like it. The solution will allow you to patch Linux, Microsoft, and even 3rd party apps, making it highly convenient. And by being fully customizable, it can perfectly suit your company’s needs. Take it for a spin and see for yourself how beneficial automated patching can be.
Heimdal® Patch & Asset Management Software
- Schedule updates at your convenience;
- See any software assets in inventory;
- Global deployment and LAN P2P;
- And much more than we can fit in here...
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.