{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-019.pdf"
    },
    "title": "Several Critical Vulnerabilities in SAP Products",
    "serial_number": "2023-019",
    "publish_date": "15-03-2023 10:30:00",
    "description": "On March 14, 2023, SAP released 19 patches for various products which contain five critical severity fixes for SAP Business Objects Business Intelligence Platform (CMC) and SAP NetWeaver:<br><br>- Improper Access Control in SAP NetWeaver AS for Java (CVE-2023-23857)<br>- Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) (CVE-2023-25616)<br>- OS command execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server) (CVE-2023-25617)<br>- Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (CVE-2023-27269)<br>- Directory Traversal vulnerability in SAP ERP and S4HANA (SAPRSBRO Program) (CVE-2023-27500)<br><br>Due to its high global market share, SAP products are a valuable target for threat actors and criminals. Therefore, CERT-EU recommends applying the issued patches as soon as possible.",
    "url_title": "2023-019",
    "content_markdown": "--- \ntitle: 'Several Critical Vulnerabilities in\u00a0SAP\u00a0Products'\nversion: '1.0'\nnumber: '2023-019'\noriginal_date: 'March 14, 2023'\ndate: 'March 15, 2023'\n---\n\n_History:_\n\n* _15/03/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn March 14, 2023, SAP released 19 patches for various products [1] which contain five critical severity fixes for SAP Business Objects Business Intelligence Platform (CMC) and SAP NetWeaver [2]:\n\n* Improper Access Control in SAP NetWeaver AS for Java (CVE-2023-23857)\n* Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) (CVE-2023-25616)\n* OS command execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server) (CVE-2023-25617)\n* Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (CVE-2023-27269)\n* Directory Traversal vulnerability in SAP ERP and S4HANA (SAPRSBRO Program) (CVE-2023-27500)\n\nDue to its high global market share, SAP products are a valuable target for threat actors and criminals. Therefore, CERT-EU recommends applying the issued patches as soon as possible.\n\n# Technical Details\n\n* CVE-2023-23857: An information disclosure, data manipulation, and DoS flaw that allows an unauthenticated attacker to perform unauthorised operations by attaching to an open interface and accessing services via the directory API.\n* CVE-2023-25616: A code injection vulnerability allowing an attacker to access resources only available to privileged users.\n* CVE-2023-25617: A command execution vulnerability allowing a remote attacker under certain conditions to execute arbitrary commands on the operating system.\n* CVE-2023-27269: A directory traversal problem that allows a non-admin user to overwrite system files.\n* CVE-2023-27500: A directory traversal problem allowing an attacker to overwrite system files and causing damage to the vulnerable endpoint.\n\n# Affected Products\n\n* CVE-2023-27269: SAP NetWeaver Application Server for ABAP, versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, and 791.\n* CVE-2023-25616: SAP Business Intelligence Platform, versions 420 and 430.\n* CVE-2023-25617: SAP Business Intelligence Platform, versions 420 and 430.\n* CVE-2023-23857: SAP NetWeaver AS for Java, version 7.50.\n* CVE-2023-27500: SAP NetWeaver Application Server for ABAP, versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757.\n \n# Recommendations\n\nCERT-EU firmly recommends applying the security fixes for these critical vulnerabilities. Additionally, applying the other 14 patches is also recommended.\n\n# References\n\n[1] <https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>\n\n[2] <https://www.bleepingcomputer.com/news/security/sap-releases-security-updates-fixing-five-critical-vulnerabilities/>",
    "content_html": "<p><em>History:</em></p><ul><li><em>15/03/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On March 14, 2023, SAP released 19 patches for various products [1] which contain five critical severity fixes for SAP Business Objects Business Intelligence Platform (CMC) and SAP NetWeaver [2]:</p><ul><li>Improper Access Control in SAP NetWeaver AS for Java (CVE-2023-23857)</li><li>Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) (CVE-2023-25616)</li><li>OS command execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server) (CVE-2023-25617)</li><li>Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (CVE-2023-27269)</li><li>Directory Traversal vulnerability in SAP ERP and S4HANA (SAPRSBRO Program) (CVE-2023-27500)</li></ul><p>Due to its high global market share, SAP products are a valuable target for threat actors and criminals. Therefore, CERT-EU recommends applying the issued patches as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><ul><li>CVE-2023-23857: An information disclosure, data manipulation, and DoS flaw that allows an unauthenticated attacker to perform unauthorised operations by attaching to an open interface and accessing services via the directory API.</li><li>CVE-2023-25616: A code injection vulnerability allowing an attacker to access resources only available to privileged users.</li><li>CVE-2023-25617: A command execution vulnerability allowing a remote attacker under certain conditions to execute arbitrary commands on the operating system.</li><li>CVE-2023-27269: A directory traversal problem that allows a non-admin user to overwrite system files.</li><li>CVE-2023-27500: A directory traversal problem allowing an attacker to overwrite system files and causing damage to the vulnerable endpoint.</li></ul><h2 id=\"affected-products\">Affected Products</h2><ul><li>CVE-2023-27269: SAP NetWeaver Application Server for ABAP, versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, and 791.</li><li>CVE-2023-25616: SAP Business Intelligence Platform, versions 420 and 430.</li><li>CVE-2023-25617: SAP Business Intelligence Platform, versions 420 and 430.</li><li>CVE-2023-23857: SAP NetWeaver AS for Java, version 7.50.</li><li>CVE-2023-27500: SAP NetWeaver Application Server for ABAP, versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU firmly recommends applying the security fixes for these critical vulnerabilities. Additionally, applying the other 14 patches is also recommended.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10\">https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&amp;rc=10</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/sap-releases-security-updates-fixing-five-critical-vulnerabilities/\">https://www.bleepingcomputer.com/news/security/sap-releases-security-updates-fixing-five-critical-vulnerabilities/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}