Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerabilities in SAP Products
Alerts

Critical Vulnerabilities in SAP Products

15 March 2023

SAP has released security updates addressing vulnerabilities (CVE-2023-25616, CVE-2023-23857, CVE-2023-27269, CVE-2023-27500 and CVE-2023-25617) in SAP Business Objects Business Intelligence Platform (CMC) and SAP NetWeaver Application Server.

The vulnerabilities are: 

  • CVE-2023-25616: A code injection vulnerability that could allow an attacker to access resources only available to privileged users.

  • CVE-2023-23857: An authentication vulnerability that could allow an unauthenticated attacker to perform unauthorised operations by attaching to an open interface and accessing services via the directory API.

  • CVE-2023-27269: A directory traversal vulnerability that could allow an attacker with non-admin privileges to overwrite system files.

  • CVE-2023-27500: A directory traversal vulnerability that could allow an attacker with non-admin privileges to overwrite system files.

  • CVE-2023-25617: An OS command execution vulnerability that could allow a remote attacker to execute arbitrary commands on the OS using the BI Launchpad, Central Management Console, or a custom application based on the public java SDK, under certain conditions.

The vulnerabilities affect the following product versions:

  • For CVE-2023-25616: 

    • SAP Business Intelligence Platform versions 420 and 430

  • For CVE-2023-23857: 

    • SAP NetWeaver Application Server for Java versions 7.50

  • For CVE-2023-27269: 

    • SAP NetWeaver Application Server for ABAP and ABAP Platform versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757 and 791

  • For CVE-2023-27500: 

    • SAP NetWeaver Application Server for ABAP and ABAP Platform (SAPRSBRO Program) versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756 and 757

  • For CVE-2023-25617:

    • SAP Business Objects (Adaptive Job Server) versions 420 and 430

Users and administrators of affected SAP products are advised to upgrade to the latest versions immediately.

More information is available here: 

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

https://www.bleepingcomputer.com/news/security/sap-releases-security-updates-fixing-five-critical-vulnerabilities/

https://securityonline.info/sap-march-2023-security-updates-patch-5-critical-severity-vulnerabilities/



Back to top