{"id":273,"date":"2023-03-14T09:54:50","date_gmt":"2023-03-14T07:54:50","guid":{"rendered":"https:\/\/techltx.com\/?p=273"},"modified":"2023-07-10T00:03:42","modified_gmt":"2023-07-09T21:03:42","slug":"sap-security-patch-day-maerz-2023","status":"publish","type":"post","link":"https:\/\/techltx.com\/de\/sap\/sap-security-patch-day-maerz-2023\/2023\/03\/","title":{"rendered":"SAP Security Patch Day M\u00e4rz 2023"},"content":{"rendered":"\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:66.66%\">\n<p>Guten Morgen, liebe SAP Kundinnen und Kunden! <strong>Herzlich willkommen zur speziellen Fr\u00fchjahrsedition der SAP Security Patch Day M\u00e4rz 2023.<\/strong><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:33.33%\">\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/06\/sap-security-patchday.png\"><img loading=\"lazy\" decoding=\"async\" width=\"491\" height=\"155\" src=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/06\/sap-security-patchday.png\" alt=\"SAP Security Patchday 2023-03 M\u00e4rz\" class=\"wp-image-248\" srcset=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/06\/sap-security-patchday.png 491w, https:\/\/techltx.com\/wp-content\/uploads\/2023\/06\/sap-security-patchday-300x95.png 300w\" sizes=\"auto, (max-width: 491px) 100vw, 491px\" \/><\/a><figcaption class=\"wp-element-caption\">SAP Security Patchday <\/figcaption><\/figure>\n<\/div>\n<\/div>\n\n\n<p>Der fr\u00fchlingshafte Security Patch Day war diesmal eine Hochburg der &#8222;Hot News&#8220;. Gleich f\u00fcnfmal klingelten unsere Alarmglocken, als die Patch-Besprechung begann.<\/p>\n<p>Als Erstes auf der Liste steht unser SAP Business Objects Business Intelligence Platform (CMC), oder wie wir es liebevoll nennen, der &#8222;Trouble Maker&#8220;. Die unerwartete Party-Einladung durch eine Code-Injection-Schwachstelle, wegen einer laxen Benutzerberechtigungspr\u00fcfung, erm\u00f6glichte es jedem Unfug treibenden St\u00f6renfried, sich auf unsere Kosten auszutoben. SAP r\u00e4t dringend, die aktuellsten Support Packages einzuspielen, um diesen ungebetenen Gast loszuwerden (SAP-Hinweis 3245526).<\/p>\n<p>Dann riefen wir den SAP NetWeaver AS for Java auf den Plan, der sich als wahrer &#8222;Meister der Tarnung&#8220; entpuppte. Fehlende Authentifizierungspr\u00fcfungen erlaubten es jedem Spion, sich in unseren Systemen einzunisten und ungehindert auf Dienste zuzugreifen, mit denen sie allerlei Unfug anstellen k\u00f6nnen. (Hinweis: 3252433).<\/p>\n<p>Unser treuer SAP NetWeaver Application Server f\u00fcr ABAP und die ABAP-Plattform &#8211; unser &#8222;Dirigent&#8220; &#8211; zeigte auch einige Schwachpunkte. Ein Angreifer konnte wie ein Dirigent, die Melodie \u00e4ndern und dabei kritische Systemdateien \u00fcberschreiben. Zum Gl\u00fcck ohne Leserechte, sonst h\u00e4tten sie noch die Noten f\u00fcr das ganze Orchester \u00e4ndern k\u00f6nnen (Hinweis: 3294595).<\/p>\n<p>Unser SAP Business Objects (Adaptive Job Server), der &#8222;Schattenkrieger&#8220;, erlaubte Angreifern aufgrund falsch maskierter Parameter, ferngesteuerte Kommandos in Unix zu starten. So konnten die Angreifer den Server in einen Schatten seiner selbst verwandeln (Hinweis: 3283438).<\/p>\n<p>Der &#8222;Doppelagent&#8220;, unser SAP Solution Manager und verwaltete ABAP-Systeme (ST-PI), erm\u00f6glichte es einem Angreifer, der sich als gew\u00f6hnlicher Benutzer ausgibt, Aktionen auszuf\u00fchren, f\u00fcr die er normalerweise nicht berechtigt w\u00e4re. Wie ein Doppelagent konnte er sensible Informationen lesen, \u00e4ndern oder sogar den Zugriff auf das System blockieren (Hinweis: 3296476).<\/p>\n<p>Zuletzt noch unser SAP Host Agent, unser &#8222;Sprengstoffexperte&#8220;. Er hatte eine Sicherheitsl\u00fccke in SAPOSCOL, die es Angreifern erlaubte, mit einer gezielten Anfrage eine Speicherbesch\u00e4digung zu verursachen. Ein gef\u00e4hrlicher Zustand, der nur mit dem neuesten Patch-Level behoben werden kann (Hinweis: 3275727).<\/p>\n<p>Jetzt, nachdem Sie diese abenteuerliche Zusammenfassung geh\u00f6rt haben, m\u00f6chten Sie wahrscheinlich wissen, wie Sie diese Probleme beheben k\u00f6nnen. SAP bietet dazu Webinare zusammen mit ASUG und DSAG an, die Ihnen dabei helfen.<\/p>\n\n\n<ul class=\"wp-block-list\">\n<li>3289844 [CVE-2023-25615] SQL Injection vulnerability in SAP ABAP Platform<\/li>\n\n\n\n<li>3245526 [CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC)<\/li>\n\n\n\n<li>3283438 [CVE-2023-25617] OS Command Execution vulnerability in SAP Business Objects Business Intelligence Platform (Adaptive Job Server)<\/li>\n\n\n\n<li>3302710 [CVE-2023-27895] Information Disclosure vulnerability in SAP Authenticator for Android<\/li>\n\n\n\n<li>3296328 [CVE-2023-27270] Denial of Service (DoS) in SAP NetWeaver AS for ABAP and ABAP Platform<\/li>\n\n\n\n<li>3294954 [CVE-2023-27501] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform<\/li>\n\n\n\n<li>3252433 [CVE-2023-23857] Improper Access Control in SAP NetWeaver AS for Java<\/li>\n\n\n\n<li>3294595 [CVE-2023-27269] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform<\/li>\n\n\n\n<li>3296346 [CVE-2023-26459] Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform<\/li>\n\n\n\n<li>3281484 [CVE-2023-26457] Cross-Site Scripting (XSS) vulnerability in SAP Content Server<\/li>\n\n\n\n<li>3274920 [CVE-2023-0021] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver<\/li>\n\n\n\n<li>3302162 [CVE-2023-27500] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform<\/li>\n\n\n\n<li>3284550 [CVE-2023-26461] XML External Entity (XXE) vulnerability in SAP NetWeaver (SAP Enterprise Portal)<\/li>\n\n\n\n<li>3296476 [CVE-2023-27893] Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems (ST-PI)<\/li>\n\n\n\n<li>3275727 [CVE-2023-27498] Memory Corruption vulnerability in SAPOSCOL<\/li>\n\n\n\n<li>3287120 [Multiple CVEs] Multiple vulnerabilities in the SAP BusinessObjects Business Intelligence platform<\/li>\n\n\n\n<li>3288480 [CVE-2023-27268] Improper Access Control in SAP NetWeaver AS Java (Object Analyzing Service)<\/li>\n\n\n\n<li>3288096 [CVE-2023-26460] Improper Access Control in SAP NetWeaver AS Java (Cache Management Service)<\/li>\n\n\n\n<li>3288394 [CVE-2023-24526] Improper Access Control in SAP NetWeaver AS Java (Classload Service)<\/li>\n\n\n\n<li>3273480 [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search)<\/li>\n\n\n\n<li>3274585 [CVE-2023-25614] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>SAP Security Notes Patchday Juni 2023 Dieser Artikel ist eine Zusammenfassung \u00fcber die Inhalte und aktuellen Schwachstellen f\u00fcr SAP Systeme insbesondere SQL vulnerability, ABAP, DoS, XSS, Access Control und SAPOSCOL<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_uag_custom_page_level_css":"","site-sidebar-layout":"right-sidebar","site-content-layout":"boxed-container","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5,11],"tags":[18,26,25,24,12,7],"class_list":["post-273","post","type-post","status-publish","format-standard","hentry","category-sap","category-sap-security-patch-day","tag-businessobjects","tag-contentserver","tag-java","tag-netweaver","tag-patchday","tag-sap"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false},"uagb_author_info":{"display_name":"BALTX","author_link":"https:\/\/techltx.com\/de\/author\/baltx-com\/"},"uagb_comment_info":0,"uagb_excerpt":"SAP Security Notes Patchday Juni 2023 Dieser Artikel ist eine Zusammenfassung \u00fcber die Inhalte und aktuellen Schwachstellen f\u00fcr SAP Systeme insbesondere SQL vulnerability, ABAP, DoS, XSS, Access Control und SAPOSCOL","_links":{"self":[{"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/posts\/273","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/comments?post=273"}],"version-history":[{"count":2,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/posts\/273\/revisions"}],"predecessor-version":[{"id":473,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/posts\/273\/revisions\/473"}],"wp:attachment":[{"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/media?parent=273"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/categories?post=273"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/tags?post=273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}