Adopts Implementing Acts as stipulated in Article 21 by December 31, 2024, according to the Commission.
In the latest SAP Patch Day of February 2023, the company released sixteen new and updated security patches, including two HotNews notes and six High Priority notes. This monthly security update is in line with the average number of advisories typically released.
One of the critical vulnerabilities addressed in this patch day is an XML External Entity (XEE) injection vulnerability in the Guided Procedures component of SAP NetWeaver AS Java. This high-severity issue, marked with a CVSS score of 8.6, was identified by Onapsis Research Labs and addressed in SAP Security Advisory #3426111.
Another critical vulnerability, a cross-site scripting (XSS) issue in the user management application of SAP NetWeaver AS Java, was fixed with SAP security note #3417627, carrying a CVSS score of 8.8.
Onapsis Research Labs also discovered a Cross-Site Scripting vulnerability, #3410875, in the "Print Preview" option in SAP CRM WebClient UI, with a CVSS score of 7.6. This vulnerability was successfully patched by SAP.
In addition, SAP Security Advisory #3421659, marked with a CVSS score of 7.4, affects only SAP IDES systems and removes a program that enables the execution of arbitrary code.
Notably, Onapsis Research Labs supported SAP in patching two of the most critical vulnerabilities of this Patch Day.
In response to these findings, Onapsis will integrate the newly published vulnerabilities into The Onapsis Platform to protect customers' businesses. Subscribing to the Defender's Digest Onapsis Newsletter provides more information on the latest SAP security issues and the continuous efforts to share knowledge with the security community.
This article was written by Thomas Fritsch and published on the Onapsis Blog.
It's worth mentioning that SAP security note #2622660 fixes thirty-three Chromium vulnerabilities for SAP Business Client, including twenty-six High Priority patches. Furthermore, SAP released High Priority note #3385711, marked with a CVSS score of 7.3, which fixes an information disclosure vulnerability in the SAP NetWeaver Application Server ABAP.
Lastly, the patch for SAP Security Advisory #3407617, as clarified by the SAP Product Security Response Team, does not involve code correction and no update to the note is required.
Stay vigilant and keep your SAP systems secure by staying updated on the latest patches and vulnerabilities.
Read also:
- Reporter of Silenced Torment or Individual Recording Suppressed Agony
- JPMorgan Chase Announces Plans for a Digital Bank Launch in Germany's Retail Sector
- Urgent Action: Users of Smartphones Advised to Instantly Erase Specific Messages, as per FBI Admonition
- Customer data from Coinbase breached, exposing sensitive information
