SAP Security Notes: March 2023 Vulnerability Summary

What are the critical SAP security vulnerabilities addressed in March 2023? In March 2023, SAP released patches for several high-risk vulnerabilities, including a critical SQL injection in NetWeaver AS Java, authentication bypasses in the LockingService, and code execution risks in SAP BusinessObjects Business Intelligence (BOBJ). These updates are essential for maintaining system integrity and preventing unauthorized exploitation.

This summary outlines the key patches released by SAP in March 2023 to address security vulnerabilities across their product ecosystem. Security professionals should prioritize these updates to mitigate risks related to remote code execution, SQL injection, and directory traversal. The patches cover critical components such as the NetWeaver Application Server (AS) and SAP BusinessObjects Business Intelligence (BOBJ) platform. By applying these security notes, organizations can close exploitable gaps that could allow unauthenticated attackers to compromise sensitive system data or trigger denial-of-service conditions.

Key Takeaways

  • Patch SAP NetWeaver AS Java 7.50 immediately to address a critical SQL injection vulnerability via User Defined Search (UDS).
  • Apply fixes for the LockingService in AS Java to resolve a broken authentication vulnerability.
  • Secure SAP BusinessObjects Business Intelligence (BOBJ) against code injection and OS command execution risks.
  • Update NetWeaver AS ABAP to resolve directory traversal vulnerabilities that can lead to system file overwrites.

What are the critical vulnerabilities in SAP NetWeaver AS Java?

SAP NetWeaver AS Java 7.50 contains a critical SQL injection vulnerability, addressed in note 3273480, which can be exploited by unauthenticated attackers. This flaw resides in an open interface exposed through JNDI by the User Defined Search (UDS) feature. The patch mitigates this by applying necessary authorization checks to the following roles: SAPXIADMINISTRATORJ2EESAPXICONFIGURATORJ2EESAPXIDEVELOPERJ2EE, and NWAREADONLY. Additionally, note 3252433 addresses a broken authentication vulnerability in the LockingService, which has been patched by removing public access and enforcing strict authentication and authorization checks.

How should SAP BusinessObjects Business Intelligence (BOBJ) be secured?

SAP BusinessObjects Business Intelligence (BOBJ) requires updates to address high-risk vulnerabilities identified in notes 3245526 and 3283438.

Vulnerability TypeAffected ComponentMitigation Strategy
Code InjectionCentral Management Console (CMC)Remove ‘Use Impersonation’ option and add authorization checks
OS Command ExecutionAdaptive Job ServerUncheck ‘Run scripts/binaries’ and ‘Run Java programs’; disable rexecd service

What are the directory traversal risks in SAP NetWeaver AS ABAP?

SAP NetWeaver AS ABAP is impacted by directory traversal vulnerabilities, as detailed in notes 3294595 and 3302162. If left unpatched, these vulnerabilities allow attackers to overwrite critical system files and trigger a denial-of-service (DoS) condition, potentially disrupting core business operations.

Frequently Asked Questions

What is the most critical vulnerability mentioned in the March 2023 notes?

The most critical issue is the SQL injection vulnerability in NetWeaver AS Java 7.50 (Note 3273480), which allows unauthenticated attackers to exploit an interface exposed via JNDI.

How do I mitigate the OS command execution risk in BOBJ?

You can mitigate this risk by applying note 3283438, which involves unchecking the ‘Run scripts/binaries’ and ‘Run Java programs’ options in the Central Management Console (CMC) and disabling the rexecd service.

What is the impact of the directory traversal vulnerabilities?

The directory traversal vulnerabilities in NetWeaver AS ABAP (Notes 3294595 and 3302162) allow attackers to overwrite sensitive system files and can result in a denial of service.

Share the Post: