March 2023 Security Notes News
Meet the Authors
⇨ Reviewing SAP Security Notes monthly is key to managing security and cybersecurity risk.
⇨ SAP Security Notes can be correlated by top vulnerabilities as well as risk profile to help with prioritizing installation and testing.
⇨ Understanding the vulnerability drives the design of the testing process for the security notes.
SAPInsider is launching a new monthly article providing a summary of SAP Patch Day. SAP releases its security notes on SAP Patch Days, the second Tuesday of each month. We will provide a summary of HotNews, the most common vulnerability being reported, help our readers understand what it means, and provide testing suggestions.
March 2023 SAP Patch Day brought in 19 new notes and two updates. There are 10 HotNews (Critical) and high-risk notes in this group. Of these, SAP is recommending applying the following six HotNews notes urgently:
|3252433||[CVE-2023-23857] Improper Access Control in SAP NetWeaver AS for Java||BC-CST-EQ||Access Control|
|3273480||[CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search)||BC-XI-CON-UDS||Access Control|
|3245526||[CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC)||BI-BIP-CMC||Code Injection|
|3283438||[CVE-2023-25617] OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server)||BI-BIP-SRV||Command Execution|
|3294595||[CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform||BC-CCM-PRN||Directory Traversal|
|3302162||[CVE-2023-27500] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform||BC-DOC-RIT||Directory Traversal|
These critical notes primarily deal with the SAP NetWeaver and Adaptive Job Server infrastructures. These are not directly related to what users do, so testing these will require a combination of positive and negative testing to validate that functionality has not changed.
The top three vulnerabilities were Access Control, Cross Site Scripting and Directory Traversal. There are five notes addressing Access Control vulnerabilities highlighted in March. Two of these are categorized as HotNews with a 9.9 CVSS score and three more with a medium priority, 5.5 CVSS score.
These notes all address issues with services in the NetWeaver AS Java server. The NetWeaver AS Java Server is one of the critical underlying application servers in the SAP Landscape. It is responsible for running all Java applications and managing the SAML Single Sign-On services.
Let’s take a moment to break down all these technical terms. An Access Control vulnerability in Java is a problem with one or more of the Authentication, Session Management or Access Control components within the Java code stack.
- Authentication: Identification and confirmation of the user and assigned privileges.
- Session Management: Manages the link between the http request and the user making them.
- Access Control: The process that checks to see if the user has permission to carry out those requests.
This vulnerability can allow a hacker to gain access to the system, escalate their privileges, and send http requests for data or system control. In this situation, while all the notes for this vulnerability are not classified as HotNews, it makes sense to bundle the application of these lower priority notes together with the HotNews ones from an impact and testing perspective.
Once the notes are applied, running both positive and negative testing through the Java modules installed will validate that there are no new issues introduced to the system. Positive testing would be to run through the Java and web-based applications to make sure users are able to log in and access the application as usual.
Negative testing would be to try and log in with bogus users and passwords, logging in with valid users, and trying to access things they don’t have permissions for. You could take it a step further and modify the http statement in a browser window to tamper with the verbs to change the directory or the action. Basic http statement verbs include GET, PUT, and POST, among others. These are the easiest to test.
For an in-depth analysis of the notes, log into the SAP Marketplace or check out the monthly SAP Patch Day blog by Onapsis.