Critical Vulnerabilities in SAP Products

SAP has released security updates addressing vulnerabilities (CVE-2023-25616, CVE-2023-23857, CVE-2023-27269, CVE-2023-27500 and CVE-2023-25617) in SAP Business Objects Business Intelligence Platform (CMC) and SAP NetWeaver Application Server.

The vulnerabilities are: 

• CVE-2023-25616: A code injection vulnerability that could allow an attacker to access resources only available to privileged users.
• CVE-2023-23857: An authentication vulnerability that could allow an unauthenticated attacker to perform unauthorised operations by attaching to an open interface and accessing services via the directory API.
• CVE-2023-27269: A directory traversal vulnerability that could allow an attacker with non-admin privileges to overwrite system files.
• CVE-2023-27500: A directory traversal vulnerability that could allow an attacker with non-admin privileges to overwrite system files.
• CVE-2023-25617: An OS command execution vulnerability that could allow a remote attacker to execute arbitrary commands on the OS using the BI Launchpad, Central Management Console, or a custom application based on the public java SDK, under certain conditions.

The vulnerabilities affect the following product versions:

• For CVE-2023-25616: 
  • SAP Business Intelligence Platform versions 420 and 430
• For CVE-2023-23857: 
  • SAP NetWeaver Application Server for Java versions 7.50
• For CVE-2023-27269: 
  • SAP NetWeaver Application Server for ABAP and ABAP Platform versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757 and 791
• For CVE-2023-27500: 
  • SAP NetWeaver Application Server for ABAP and ABAP Platform (SAPRSBRO Program) versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756 and 757
• For CVE-2023-25617:
  • SAP Business Objects (Adaptive Job Server) versions 420 and 430

Users and administrators of affected SAP products are advised to upgrade to the latest versions immediately.