German enterprise software maker SAP announced the release of 19 new notes on its April 2023 Security Patch Day, as well as five updates to previously released notes.
The 24 notes included in SAP’s security updates (PDF) consist of five ‘hot news’ notes, the highest severity rating. Two of these are new notes and three are updates to previously released security notes. Among the new notes, the two most important address critical vulnerabilities in SAP Diagnostics Agent and in the BusinessObjects platform.
The SAP Diagnostics Agent vulnerability (CVE-2023-27497, CVSS score of 10) allows an attacker to execute commands on all monitored SAP systems without authentication. The BusinessObjects platform vulnerability (CVE-2023-28765, CVSS score of 9.8) is an information disclosure flaw, which could allow attackers to access user passwords.
SAP also released updates for the Chromium browser in Business Client, and two hot news security notes dealing with an improper access control issue and a directory traversal vulnerability in NetWeaver. The remaining notes address medium- and low-severity vulnerabilities in Landscape Management, SapSetup, NetWeaver, Fiori, GUI for HTML, CRM, SAP Web Dispatcher and Internet Communication Manager, ABAP Platform, Commerce, and Application Interface Framework.
In conclusion, SAP’s April 2023 Security Patch Day released 24 notes, including five ‘hot news’ notes, two of which address critical vulnerabilities in SAP Diagnostics Agent and the BusinessObjects platform. The remaining notes addressed medium- and low-severity vulnerabilities in a variety of components.
Key Points:
- SAP released 24 notes on its April 2023 Security Patch Day, five of which are ‘hot news’.
- Two critical vulnerabilities addressed this week were identified in the SAP Diagnostics Agent and the BusinessObjects platform.
- SAP also released updates for the Chromium browser in Business Client, and two hot news security notes.
- The remaining notes address medium- and low-severity vulnerabilities in a variety of components.
