The February 2023 SAP Security Notes address critical vulnerabilities across NetWeaver Application Server Java, the SAP Host Agent, and SAP BusinessObjects. Key patches include fixes for JNDI interface exposure, privilege escalation via webservice requests, and unrestricted file upload vulnerabilities, alongside necessary corrections for side effects introduced by earlier security patches.
Executive Summary
The February 2023 patch release from SAP focuses on mitigating high-risk vulnerabilities across several core platforms. The most significant update concerns note 3273480, which addresses a critical JNDI interface vulnerability in NetWeaver Application Server Java. Subsequent notes, 3301366 and 3284781, provide essential corrections for side effects introduced by this patch, specifically affecting monitoring and Process Integration (PI) services. Additionally, organizations are urged to upgrade the SAP Host Agent to version 7.22 PL59 to prevent OS command execution via webservice requests. The release also covers critical issues in SAP BusinessObjects (BOBJ) and Business Planning and Consolidation (BPC), including file upload and privilege escalation risks. Administrators should review these notes immediately to secure their SAP landscapes against potential exploitation.
Key Takeaways
- Update SAP Host Agent to version 7.22 PL59 to patch critical privilege escalation vulnerabilities.
- NetWeaver AS Java requires patching for a critical JNDI interface vulnerability.
- Apply supplementary notes 3301366 and 3284781 to resolve side effects from the initial AS Java fix.
- Implement file type whitelisting in BOBJ to mitigate unrestricted file upload risks.
What are the critical updates for SAP NetWeaver AS Java?
The primary update for SAP NetWeaver Application Server Java (AS Java) is security note 3273480, which addresses a critical vulnerability allowing attackers to compromise installations via an open JNDI interface exposed through User Defined Search (UDS). Because the initial fix implemented authorization checks that caused functional side effects, SAP released two additional notes to restore stability:
- Note 3301366: Corrects side effects related to alerting and monitoring.
- Note 3284781: Provides instructions to resolve issues observed in services used by Process Integration (PI).
How do you patch the SAP Host Agent vulnerability?
To patch the high-priority privilege escalation vulnerability in the SAP Host Agent, administrators must upgrade to version 7.22 PL59, as recommended by note 3285757. Without this update, attackers can exploit the agent to execute operating system commands with administrative privileges by sending malicious webservice requests.
What are the security risks in SAP BusinessObjects and BPC?
SAP BusinessObjects (BOBJ) and Business Planning and Consolidation (BPC) require attention due to several identified vulnerabilities, including information disclosure and privilege escalation. Note 3256787 addresses an unrestricted file upload vulnerability in BOBJ; as a workaround, administrators should apply a file format whitelist using the upload.file.allowed.formats property in the global.properties file. Other important notes include 3263135 for information disclosure in BOBJ and 3271091 for privilege escalation in BPC.
Summary of February 2023 SAP Security Notes
| Note ID | Affected Product | Vulnerability Type | Recommended Action |
|---|---|---|---|
| 3273480 | NetWeaver AS Java | JNDI Interface Exposure | Apply patch and follow-up notes |
| 3285757 | SAP Host Agent | Privilege Escalation | Upgrade to 7.22 PL59 |
| 3256787 | SAP BusinessObjects | Unrestricted File Upload | Apply patch or file whitelist |
| 3263135 | SAP BusinessObjects | Information Disclosure | Review and apply patch |
| 3271091 | SAP BPC | Privilege Escalation | Review and apply patch |
Frequently Asked Questions
Which SAP Host Agent version is required to patch the privilege escalation vulnerability?
Organizations should upgrade the SAP Host Agent to the latest version, 7.22 PL59, to remediate the high-priority privilege escalation vulnerability that allows unauthorized operating system command execution via webservice requests.
How can you mitigate the unrestricted file upload vulnerability in SAP BusinessObjects?
Beyond applying the patch provided in note 3256787, administrators can implement a workaround by defining a whitelist for allowed file format types. This is configured by setting the upload.file.allowed.formats property within the global.properties file.
What are the side effects of applying SAP Security Note 3273480?
The initial fix for the NetWeaver AS Java JNDI vulnerability caused side effects in alerting, monitoring, and Process Integration (PI) services. Administrators must apply note 3301366 to resolve alerting and monitoring issues and note 3284781 to correct issues with specific PI services.