Security News > 2023 > March > SAP releases security updates fixing five critical vulnerabilities
Software vendor SAP has released security updates for 19 vulnerabilities, five rated as critical, meaning that administrators should apply them as soon as possible to mitigate the associated risks.
The flaws fixed this month impact many products, but the critical severity bugs affect SAP Business Objects Business Intelligence Platform and SAP NetWeaver.
CVE-2023-23857: Critical severity information disclosure, data manipulation, and DoS flaw impacting SAP NetWeaver AS for Java, version 7.50.
The bug allows an unauthenticated attacker to perform unauthorized operations by attaching to an open interface and accessing services via the directory API. CVE-2023-27269: Critical severity directory traversal problem impacting SAP NetWeaver Application Server for ABAP. The flaw allows a non-admin user to overwrite system files.
CVE-2023-27500: Critical severity directory traversal in SAP NetWeaver AS for ABAP. An attacker can exploit the flaw in SAPRSBRO to overwrite system files, causing damage to the vulnerable endpoint.
In February 2022, the US Cybersecurity and Infrastructure Security Agency urged admins to patch a set of severe vulnerabilities impacting SAP business apps to prevent data theft, ransomware attacks, and disruption of mission-critical processes and operations.
News URL
Related news
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Critical vulnerabilities persist in high-risk sectors (source)
- Major security audit of critical FreeBSD components now available (source)
- Decades-Old Security Vulnerabilities Found in Ubuntu's Needrestart Package (source)
- Critical security hole in Apache Struts under exploit (source)
- CISA Adds Critical Flaw in BeyondTrust Software to Exploited Vulnerabilities List (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-03-14 | CVE-2023-27500 | Path Traversal vulnerability in SAP Netweaver Application Server Abap An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files. | 8.1 |
2023-03-14 | CVE-2023-27269 | Unspecified vulnerability in SAP Netweaver Application Server Abap SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files. | 9.6 |
2023-03-14 | CVE-2023-23857 | Unspecified vulnerability in SAP Netweaver Application Server for Java 7.50 Due to missing authentication check, SAP NetWeaver AS for Java - version 7.50, allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services across systems. | 8.6 |