In April 2023, SAP released several critical security notes addressing vulnerabilities in its software. Key patches included Note 3305369 for the SAP Diagnostics Agent, Note 3294595 for SAP NetWeaver AS ABAP, Note 3298961 for SAP BOBJ, and Note 3305907 for the BI Content Add-on for AS ABAP.
The April 2023 SAP security update focused on patching critical vulnerabilities, including code injection, directory traversal, and information disclosure. These vulnerabilities affected core components like the SAP Diagnostics Agent, SAP NetWeaver Application Server ABAP (AS ABAP), and the SAP BusinessObjects Business Intelligence Platform (BOBJ). Patching these vulnerabilities is essential to prevent unauthorized system access, denial-of-service attacks, and potential data exposure. Organizations should review each note to determine the appropriate mitigation strategy, whether through direct patching or the provided workarounds.
Key Takeaways
- Note 3305369 patches code injection and missing authentication in the SAP Diagnostics Agent.
- Note 3294595 fixes a critical directory traversal vulnerability in SAP NetWeaver AS ABAP.
- Note 3298961 resolves an information disclosure vulnerability in the SAP BusinessObjects BI Platform.
- Note 3305907 addresses a high-priority directory traversal vulnerability in the BI Content Add-on for AS ABAP.
Summary of April 2023 SAP Security Notes
The following table summarizes the primary vulnerabilities addressed in the April 2023 SAP security patch cycle.
| SAP Note | Affected Component | Vulnerability Type |
|---|---|---|
| 3305369 | SAP Diagnostics Agent | Code Injection / Missing Auth |
| 3294595 | SAP NetWeaver AS ABAP | Directory Traversal |
| 3298961 | SAP BOBJ | Information Disclosure |
| 3305907 | BI Content Add-on for AS ABAP | Directory Traversal |
What vulnerabilities were patched in the SAP Diagnostics Agent?
Note 3305369 addresses missing authentication check and code injection vulnerabilities within the SAP Diagnostics Agent. The patch removes the EventLogServiceCollector and OSCommand Bridge components to mitigate these risks. While this patch does not affect metric data collection for existing collectors, it will disable metric testing capabilities.
How does Note 3294595 affect SAP NetWeaver AS ABAP?
Note 3294595 addresses a critical directory traversal vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) that could allow attackers to overwrite system files, potentially triggering a denial of service. As an alternative to the patch, Note 1512430 describes a method to block reports RSPOXDEV and RSPOXOMS from overwriting files. This requires assigning a physical path to the logical path RSPOFILELOCATION via transaction FILE.
What information disclosure issue was fixed in SAP BOBJ?
Note 3298961 fixes an information disclosure vulnerability in the SAP BusinessObjects Business Intelligence Platform (BOBJ). This vulnerability could enable threat actors to discover the password of a BI user by accessing and decrypting the lcmbiar file. If applying the patch is not immediately possible, password protection for the file can be implemented as a workaround.
What is the risk associated with the BI Content Add-on for AS ABAP?
Note 3305907 addresses a high-priority directory traversal vulnerability in the BI Content Add-on for AS ABAP. This flaw exists in a report that lacks sufficient authentication checks and file validation, potentially allowing attackers to upload and overwrite files. The correction removes the file upload capability from the vulnerable report.