In today’s fast-paced business environment, staying ahead of the competition requires more than just making smart decisions – it necessitates having the right tools to effectively manage and optimize operations. Enter SAP, a global software company that has revolutionized enterprise resource planning (ERP) systems. With its wide range of integrated applications and cutting-edge technology, SAP empowers organizations to streamline their processes, enhance collaboration, and drive innovation. From small businesses to multinational corporations, SAP has become an essential tool for businesses across various industries
What is SAP?
SAP, an abbreviation for Systems, Applications, and Products in Data Processing, is a leading enterprise resource planning (ERP) software solution that allows businesses to streamline their operations and make better decisions through efficient data management. With its extensive range of modules, SAP covers all aspects of business processes such as finance, sales, procurement, manufacturing, human resources, and more.
One unique feature of SAP is its ability to integrate multiple systems into one cohesive platform. This integration ensures real-time data sharing across different departments within an organization and enables smooth collaboration between teams. Furthermore, SAP provides a centralized database that houses all relevant information for easy access by authorized personnel.
16 Flaws in Multiple SAP Products Addressed:
SAP has released patches for 16 vulnerabilities with Critical, High, Medium, and Low severities. The CVSS scores for these vulnerabilities are between 3.7 (Low) to 9.8 (Critical) which contributes to 1 Critical, 6 High, 7 Medium, and 1 Low severity vulnerability. One of the vulnerability CVSS scores is yet to be confirmed.
- SAP PowerDesigner
- SAP Business One
- SAP BusinessObjects Business Intelligence Suite
- SAP BusinessObjects Business Intelligence Platform
- SAP Message Server
- SAP NetWeaver Process Integration
- SAPUI5
- SAP Commerce
- SAP Supplier Relationship Management
- SAP NetWeaver AS ABAP and ABAP Platform
- SAP Host Agent
- SAP Commerce Cloud
- SAP PowerDesigner (BC-SYB-PD) – CVE-2023-37483
This is an improper access control vulnerability that allows an unauthenticated attacker to execute arbitrary queries against the back-end database via proxy. The CVSS score for this vulnerability is given as 9.8 (Critical).
2. SAP PowerDesigner (BC-SYB-PD) – CVE-2023-36923
This vulnerability allows an attacker with local access to place a malicious library that can be executed by the application which results in the attacker controlling the behavior of the application. The CVSS score for this vulnerability is given as 7.8 (High)
3. SAP Business One (SBO-CRO-SEC) – CVE-2023-39437
This is a Cross-Site scripting (XSS) vulnerability that allows an attacker to inject malicious code on the web page or the application and deliver it to the client. This affects the Confidentiality, Integrity, and Availability of the application. The CVSS score for this vulnerability is given as 7.6 (High).
4. SAP BusinessObjects Business Intelligence Suite (BI-BIP-INS) – CVE-2023-37490
This vulnerability allows an authenticated attacker within the network to overwrite an executable file that is created in the temporary directory as part of the installation process leading to the compromise of the CIA triad. The CVSS score for this vulnerability is given as 7.6 (High).
5. SAP BusinessObjects Business Intelligence Platform (BI-BIP-CMC) – CVE-2023-37490
This is a Denial of Service (DoS) vulnerability due to the use of a vulnerable Commons FileUpload version in SAP BusinessObjects Business Intelligence Platform (CMC). The CVSS Score for this vulnerability is given as 7.5 (High) by SAP.
6. SAP Message Server (BC-CST-MS) – CVE-2023-37491
On certain conditions, the SAP Message server can be bypassed which enables an authenticated attacker to enter into the SAP systems network resulting in unauthorized read and write of data. The CVSS score for this vulnerability is given as 7.5 (High).
7. SAP Business One (SBO-CRO-SEC) – CVE-2023-33993
This vulnerability can be exploited by an authenticated attacker by sending crafted queries over the network to read or modify SQL data. The CVSS Score for this vulnerability is given as 7.1 (High)
Medium Severity Vulnerabilities:
SAP NetWeaver Process Integration (BC-XI-IBF-WU) – CVE-2023-37488 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Process Integration. 6.1 Severity.
SAPUI5 (CA-UI5-COR) – CVE-2023-37484 – Cross-Site Scripting (XSS) vulnerabilities in the jQuery-UI library bundled with SAPUI5. 6.1 Severity.
SAP Commerce (CEC-SCC-COM-BC-OCC) – CVE-2023-37486– Information Disclosure vulnerability in SAP Commerce (OCC API). 5.9 Severity.
SAP Supplier Relationship Management (SRM-EBP-ADM-XBP) – CVE-2023-39436 – Information Disclosure vulnerability in SAP Supplier Relationship Management. 5.8 Severity.
SAP Business One (SBO-CRO-SEC)CVE-2023-37487Security Misconfiguration vulnerability in SAP Business One (Service Layer). 5.3 Severity.
SAP NetWeaver AS ABAP and ABAP Platform (BC-CCM-CNF-PFL) – CVE-2023-37492 – Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform. 4.9 Severity.
SAP BusinessObjects Business Intelligence Platform (BI-RA-WBI) – CVE-2023-39440 – Information Disclosure Vulnerability in SAP Supplier Relationship Management. 4.4 Severity.
