SAP Security Notes: January 2023 Vulnerability Summary

The January 2023 SAP Security patch cycle addressed several critical and high-risk vulnerabilities, including a capture-replay issue in SAP NetWeaver AS ABAP and a broken authentication flaw in SAP NetWeaver AS Java. Organizations are advised to apply these security notes immediately to prevent unauthorized data access and potential service disruption.

Executive Summary

The January 2023 SAP security updates provide critical remediations for vulnerabilities across multiple SAP platforms. The most significant update, Note 3089413, addresses a capture-replay vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) caused by non-unique system identification hashes. This vulnerability could lead to authentication bypass and requires corrections in both trusting and trusted systems.

Additionally, Note 3268093 resolves a broken authentication vulnerability in SAP NetWeaver Application Server Java (AS Java). This flaw allowed unauthenticated attackers to exploit open naming and directory APIs, potentially leading to unauthorized data modification and service disruption. The fix restricts public access to administrative services and enforces proper authentication. High-risk issues in SAP BusinessObjects Business Intelligence (BOBJ), including insecure deserialization, were also addressed via Note 3243924. These patches collectively aim to harden SAP environments against exploitation by restricting access, enforcing authentication, and correcting flawed deserialization processes.

Key Takeaways

  • Note 3089413 patches a critical capture-replay vulnerability in SAP NetWeaver AS ABAP that can lead to authentication bypass.
  • Note 3268093 fixes a broken authentication flaw in SAP NetWeaver AS Java that could permit unauthorized data access.
  • Note 3243924 addresses high-risk insecure deserialization in SAP BusinessObjects (BOBJ) by restricting deserialization to specific internal classes.
  • Administrators must apply corrections in both trusting and trusted systems for AS ABAP vulnerabilities.
  • Additional patches exist for code and SQL injection vulnerabilities in BOBJ and Business Planning and Consolidation.

What vulnerabilities were addressed in SAP NetWeaver?

SAP NetWeaver faced two primary security threats in January 2023: a capture-replay vulnerability in AS ABAP and a broken authentication flaw in AS Java. The AS ABAP vulnerability (Note 3089413) stems from the failure to use unique hashes for system identification, necessitating patches in both trusting and trusted systems. The AS Java vulnerability (Note 3268093) allowed unauthenticated attackers to exploit open APIs, leading to potential data exposure. The fix restricts public access to specific administrative services and mandates proper authorization roles.

Which SAP BusinessObjects vulnerabilities were patched?

SAP BusinessObjects Business Intelligence (BOBJ) required updates for insecure deserialization and other high-risk flaws. Note 3243924 patches an insecure deserialization vulnerability that allowed authenticated attackers with minimal privileges to intercept and modify serialized objects. The solution restricts deserialization to specific internal classes. Furthermore, Note 3262810 and Note 3275391 were released to address code injection and SQL injection vulnerabilities in Analysis Edition for OLAP and SAP Business Planning and Consolidation, respectively.

Summary of January 2023 SAP Security Notes

The following table summarizes the key security notes released in January 2023.

SAP NotePlatformVulnerability TypeRisk Level
3089413SAP NetWeaver AS ABAPCapture-ReplayCritical
3268093SAP NetWeaver AS JavaBroken AuthenticationCritical
3243924SAP BOBJInsecure DeserializationHigh
3262810SAP BOBJ (Analysis Edition)Code InjectionImportant
3275391SAP BPCSQL InjectionImportant

Frequently Asked Questions

What actions are required for SAP NetWeaver AS ABAP?

Administrators must apply the corrections provided in Note 3089413 to the SAP kernel and the SAP Basis component. Crucially, these corrections must be applied in both trusting and trusted systems to ensure the fix is effective against the capture-replay vulnerability.

How does the patch for SAP NetWeaver AS Java affect administrative roles?

The correction for Note 3268093 removes public access to the basicadmin and adminadapter services. It introduces mandatory authentication and authorization, automatically assigning the required permissions to the Administrator, NWASUPERADMIN, and NWA_READONLY roles.

Is there a workaround for the BOBJ insecure deserialization vulnerability?

Yes, Note 3243924 includes instructions for a workaround that involves removing the vulnerable code in specific files within the Central Management Console and BI LaunchPad of SAP BusinessObjects.

Share the Post: