The April 2023 security patches from enterprise software provider SAP have been made available for a number of its products. These updates fix two critical-severity flaws that affect the SAP Diagnostics Agent and the SAP BusinessObjects Business Intelligence Platform.

In total, SAP has published 24 notes, of which five are updates to earlier bulletins and 19 are new issues of various seriousness.

The three most important problems resolved this time are:

• CVE-2023-27267: The OSCommand Bridge of the SAP Diagnostics Agent, version 720, has a problem with insufficient input validation and missing authentication that makes it possible for an attacker to run scripts on linked agents and completely compromise the system.
  
  
• CVE-2023-28765: Versions 420 and 430 of SAP BusinessObjects Business Intelligence Platform (Promotion Management) are affected by an information disclosure vulnerability that enables a user with minimal access rights to decrypt the lcmbiar file. This would give the attacker access to the credentials of the platform's users and allow them to hijack their accounts to carry out additional harmful deeds.
  
  
• CVE-2023-29186: SAP NetWeaver versions 707, 737, 747, and 757 are affected by a directory traversal bug that enables an attacker to upload and overwrite files on the exposed SAP server.

In SAP's most recent security advisory, there are still 11 security holes that are of low to medium severity.

Even while these problems are typically not given top priority for patching, assaults nevertheless use them, especially when they are a part of intricate attack chains, therefore they must be fixed.

Quick patching is crucial

Hackers are constantly searching for critical-severity vulnerabilities in widely used programmes like SAP's, which are widespread in vast corporate networks.

With 425,000 clients in 180 countries and a 24% market share globally, SAP is the largest ERP provider in the world. Its ERP, SCM, PLM, and CRM products are used by more than 90% of the Forbes Global 2000.

In order to avoid data theft, ransomware attacks, and the disruption of mission-critical operations and processes, the US Cybersecurity and Infrastructure Security Agency (CISA) recommended admins to patch a number of serious vulnerabilities affecting SAP business apps in February 2022.

Threat actors were seen attempting to penetrate business networks by exploiting patched holes in unpatched SAP systems in April 2021.

Applying the appropriate security fixes as soon as possible is therefore absolutely critical for SAP system administrators.

Source: https://www.bleepingcomputer.com/news/security/sap-releases-security-updates-for-two-critical-severity-flaws/