Skip to content

Safe Tuesday with SNOK - Key updates from the February SAP Patch Day

The February SAP Patch Day is the moment when the IT industry watches the latest SAP security updates with bated breath. This year was no exception, and…

The February SAP Patch Day is the moment when the IT industry watches the latest SAP security updates with bated breath. This year was no exception, and February brought us as many as twenty-six new and updated security notes, including one HotNews note and five high-priority notes. For SAP specialists such as ourselves at SNOK, this is a key moment to ensure that our clients’ systems are protected against the latest threats.

What’s new in February?

Among the releases was a HotNews note concerning SAP Business Client, which patched fifty-four vulnerabilities in Chromium, including twenty-two high-priority patches. The highest CVSS score among all patched vulnerabilities was 8.8, which shows how serious these threats can be.

However, that’s not all. Two of the five high-priority notes are updated versions of previously released notes, which first appeared in December. They concern, among others, SAP Host Agent and SAP Business Planning and Consolidation, where the most serious vulnerability allowed the execution of arbitrary operating system commands with administrator privileges.

Details of new high-priority notes

Among the new high-priority notes was one concerning SAP Host Agent. This vulnerability allowed an unauthorised user with local access to the server port assigned to the SAP Host Agent service to send a specially crafted web service request containing an arbitrary operating system command, which was executed with administrator privileges. This is a serious threat to the confidentiality, integrity, and availability of the system.

Why does this matter to SNOK and our clients?

As a Gold SAP partner, we at SNOK fully understand the importance of maintaining the highest level of security for our clients’ systems. The February SAP Patch Day is a reminder of the ongoing need to monitor and update systems in order to protect against new and evolving threats.

How does SNOK help clients manage patches?

At SNOK we offer comprehensive services in SAP BASIS, SAP analysis, cybersecurity and SAP penetration testing, as well as trusted advisory in these areas. Our experience and partnerships allow us not only to track the latest SAP security updates, but also to effectively manage and implement these updates in our clients’ systems.

Summary

The February SAP Patch Day brought a range of important updates aimed at protecting SAP systems against the latest threats. At SNOK we ensure that our services and solutions are always up to date with security best practices, so that our clients can focus on their business, knowing their systems are secure.

In today’s world, where cyber threats evolve day by day, the importance of regular security updates cannot be overstated.

We encourage all SAP administrators to regularly monitor SAP Patch Day releases and implement the recommended updates. Remember that system security is a process, not a one-off action. At SNOK we are here to support you in this process, offering our knowledge, experience, and dedicated services.

Appendix - detailed notes from the February SAP Patch Day

SAP Note Type Description Priority CVSS

2622660 Update Security updates for the browser control Google Chromium delivered with SAP Business Client BC-FES-BUS-DSKK HotNews 10,0

3271091 Update [CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation EPM-BPC-NW High 8,5

3256787 New [CVE-2023-24530] Unrestricted Upload of File in SAP BusinessObjects Business Intelligence Platform (CMC) BI-BIP-CMC High 8,4

3287291 New [CVE-2023-23854] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform BC-DWB-TOO-ABA Low 3,8

3285757 New [CVE-2023-24523] Privilege Escalation vulnerability in SAP Host Agent (Start Service) BC-CCM-HAG High 8,8

2788178 New [CVE-2023-24525] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI CA-WUI-UI-TAG Medium 4,3

2985905 New [CVE-2023-24524] Missing Authorization check in SAP S/4 HANA Map Treasury Correspondence Format Data CA-GTF-CSC-DME Medium 6,5

3275841 New [CVE-2023-23851] Unrestricted File Upload in SAP Business Planning and Consolidation EPM-BPC-NW-INF Medium 5,4

3293786 New [CVE-2023-23858] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform BC-ABA-LA Medium 6,1

3281724 New [CVE-2023-0019] Missing Authorization check in SAP GRC (Process Control) GRC-SPC-AC Medium 6,5

3290901 New [CVE-2023-24528] Missing Authorization Check in SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) FI-TV-ODT-MTR Medium 6,5

3282663 New [CVE-2023-24529] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages application) CA-GTF-PCF Medium 6,1

3274585 New [CVE-2023-25614] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework) BC-BSP Medium 6,1

3269118 New [CVE-2023-24522] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework) BC-BSP Medium 6,1

3269151 New [CVE-2023-24521] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework) BC-BSP Medium 6,1

3271227 New [CVE-2023-23853] URL Redirection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform BC-MID-ICF Medium 6,1

3268959 New [Multiple CVEs] Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform BC-MID-AC Medium 6,1

3266751 New [CVE-2023-23852] Cross-Site Scripting (XSS) vulnerability in SAP Solution Manager 7.2 SV-SMG-MON-SYS Medium 6,1

3265846 New [CVE-2023-0024] Cross Site Scripting in SAP Solution Manager (BSP Application) SV-SMG-SVD-SWB Medium 6,5

3267442 New [CVE-2023-0025] Cross Site Scripting in SAP Solution Manager (BSP Application) SV-SMG-SVD-SWB Medium 6,5

3270509 New [CVE-2023-23855] URL Redirection vulnerability in SAP Solution Manager SV-SMG-OP Medium 6,5

3263135 New [CVE-2023-0020] Information disclosure vulnerability in SAP BusinessObjects Business Intelligence platform BI-BIP-INV High 8,5

3263863 New [CVE-2023-23856] Cross-Site Scripting (XSS) vulnerability in Web Intelligence Interface BI-RA-WBI-FE Medium 4,3

3262544 Update [CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service) BC-JAS-WEB Medium 6,1

3268172 Update [CVE-2022-41264] Code Injection vulnerability in SAP BASIS BC-DB-HDB-POR High 8,8

3283283 Update [CVE-2023-0013] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform BC-ABA-LA Medium 6,1

Tematy: Safe Tuesday SAP security SAP S/4HANA

Get in touch