{"id":279,"date":"2023-02-14T11:57:00","date_gmt":"2023-02-14T09:57:00","guid":{"rendered":"https:\/\/techltx.com\/?p=279"},"modified":"2023-07-10T00:03:54","modified_gmt":"2023-07-09T21:03:54","slug":"sap-security-patch-day-februar-2023","status":"publish","type":"post","link":"https:\/\/techltx.com\/de\/sap\/sap-security-patch-day-februar-2023\/2023\/02\/","title":{"rendered":"SAP Security Patch Day Februar 2023"},"content":{"rendered":"\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:66.66%\">\n<p>Wichtige Hinweise f\u00fcr SAP Basis Administratoren: <strong>Highlights der SAP Security Notes vom 14. Februar 2023.&nbsp;<\/strong><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:33.33%\">\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/06\/sap-security-patchday.png\"><img loading=\"lazy\" decoding=\"async\" width=\"491\" height=\"155\" src=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/06\/sap-security-patchday.png\" alt=\"SAP Security Patchday 2023-02 Februar\" class=\"wp-image-248\" srcset=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/06\/sap-security-patchday.png 491w, https:\/\/techltx.com\/wp-content\/uploads\/2023\/06\/sap-security-patchday-300x95.png 300w\" sizes=\"auto, (max-width: 491px) 100vw, 491px\" \/><\/a><figcaption class=\"wp-element-caption\">SAP Security Patchday <\/figcaption><\/figure>\n<\/div>\n<\/div>\n\n\n<p>SAP-Systeme sind in vielen Unternehmen entscheidend f\u00fcr den reibungslosen Betrieb und die Sicherheit der Gesch\u00e4ftsprozesse. Als SAP Basis Administrator ist es wichtig, \u00fcber die neuesten Sicherheitspatches und relevanten Hinweise informiert zu sein. Im Februar 2023 hat SAP insgesamt 26 Security-Hinweise ver\u00f6ffentlicht, darunter einen HotNews-Hinweis und f\u00fcnf High Priority-Hinweise. In diesem Artikel werden die Highlights dieser Security Notes zusammengefasst.<\/p>\n<p>HotNews-Hinweis f\u00fcr SAP Business Client:<br>Der einzige HotNews-Hinweis im Februar betrifft den SAP Business Client und tr\u00e4gt die Nummer #2622660. Dieser Hinweis behebt die neuesten Schwachstellen im Chromium-Browser, der vom SAP Business Client verwendet wird. Es wurden insgesamt 54 Chromium-Schwachstellen behoben, davon 22 mit hoher Priorit\u00e4t. Die maximale CVSS-Score aller behobenen Schwachstellen betr\u00e4gt 8,8. Es wird dringend empfohlen, diesen Patch umgehend zu installieren, da die Sicherheit des SAP Business Clients von gro\u00dfer Bedeutung ist.<\/p>\n<p>High Priority-Hinweise im Detail:<br>Von den f\u00fcnf High Priority-Hinweisen sind zwei aktualisierte Versionen von zuvor ver\u00f6ffentlichten Hinweisen, die urspr\u00fcnglich am Dezember Patch Day ver\u00f6ffentlicht wurden. Hier sind die wichtigsten Informationen zu den neuen High Priority-Hinweisen:<\/p>\n<p>SAP Security Note #3268172:<br>Dieser Hinweis, mit einem CVSS-Score von 8,8, betrifft Kunden, die SAP auf einer Datenbank au\u00dferhalb von HANA betreiben. Es handelt sich um eine kritische Schwachstelle, die Kunden, die nicht auf HANA basieren, ebenfalls betrifft. Es wird empfohlen, diesen Hinweis zu beachten und entsprechende Ma\u00dfnahmen zu ergreifen.<\/p>\n<p>High Priority-Hinweis #3271091:<br>Dieser Hinweis, mit einem CVSS-Score von 8,5, behebt eine Privilege Escalation-Schwachstelle in SAP Business Planning and Consolidation. Der Hinweis wurde nur mit einigen geringf\u00fcgigen Text\u00e4nderungen aktualisiert und erfordert keine neuen Ma\u00dfnahmen, wenn er bereits implementiert wurde.<\/p>\n<p>Hinweise f\u00fcr SAP BusinessObjects:<br>Die beiden verbleibenden High Priority-Hinweise betreffen SAP BusinessObjects-Kunden. Hier sind die Details zu den Hinweisen:<\/p>\n<p>SAP Security Note #3263135:<br>Dieser Hinweis, mit einem CVSS-Score von 8,5, behebt eine Information Disclosure-Schwachstelle in der SAP BusinessObjects Business Intelligence-Plattform. Ein Angreifer ben\u00f6tigt eine Authentifizierung, um diese Schwachstelle auszunutzen. Ein erfolgreicher Angriff kann zu erheblichen Auswirkungen auf die Vertraulichkeit und begrenzten Auswirkungen auf die Integrit\u00e4t der Anwendung f\u00fchren.<\/p>\n<p>SAP Security Note #3256787:<br>Dieser Hinweis, mit einem CVSS-Score von 8,4, behebt eine Schwachstelle, die es einem authentifizierten Administrator erm\u00f6glicht, b\u00f6sartigen Code hochzuladen, der von der Anwendung \u00fcber das Netzwerk ausgef\u00fchrt werden kann. Obwohl die Auswirkungen auf die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit der Anwendung hoch sind, ist der CVSS-Score niedriger als bei SAP Security Note #3263135, da ein Angreifer \u00fcber Admin-Privilegien verf\u00fcgen muss.<\/p>\n<p>Beitrag des Onapsis Research Labs:<br>Das Onapsis Research Labs (ORL) hat SAP bei der Behebung mehrerer Schwachstellen unterst\u00fctzt. Neben der kritischen Schwachstelle im SAP Host Agent wurden neun Cross-Site Scripting-Schwachstellen und drei URL Redirection-Schwachstellen gepatcht. Diese Schwachstellen betrafen verschiedene SAP-Anwendungen und erfordern eine entsprechende Aktualisierung der betroffenen Softwarekomponenten.<\/p>\n<p>Fazit:<br>Als SAP Basis Administrator ist es von entscheidender Bedeutung, \u00fcber die neuesten Sicherheitspatches und relevanten Hinweise informiert zu sein. Die im Februar 2023 ver\u00f6ffentlichten SAP Security Notes enthalten wichtige Informationen zu Schwachstellen und deren Behebung. Es wird dringend empfohlen, die entsprechenden Patches umgehend zu installieren, um die Sicherheit der SAP-Systeme zu gew\u00e4hrleisten und potenzielle Exploits zu verhindern.<\/p>\n\n\n<ul class=\"wp-block-list\">\n<li>2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client<\/li>\n\n\n\n<li>3271091 [CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation<\/li>\n\n\n\n<li>3256787 [CVE-2023-24530] Unrestricted Upload of File in SAP BusinessObjects Business Intelligence Platform (CMC)<\/li>\n\n\n\n<li>3287291 [CVE-2023-23854] Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform<\/li>\n\n\n\n<li>3285757 [CVE-2023-24523] Privilege Escalation vulnerability in SAP Host Agent (Start Service)<\/li>\n\n\n\n<li>2788178 [CVE-2023-24525] Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI<\/li>\n\n\n\n<li>2985905 [CVE-2023-24524] Missing Authorization check in SAP S\/4 HANA Map Treasury Correspondence Format Data<\/li>\n\n\n\n<li>3275841 [CVE-2023-23851] Unrestricted File Upload in SAP Business Planning and Consolidation<\/li>\n\n\n\n<li>3293786 [CVE-2023-23858] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform<\/li>\n\n\n\n<li>3281724 [CVE-2023-0019] Missing Authorization check in SAP GRC (Process Control)<\/li>\n\n\n\n<li>3290901 [CVE-2023-24528] Missing Authorization Check in SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests)<\/li>\n\n\n\n<li>3282663 [CVE-2023-24529] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (Business Server Pages application)<\/li>\n\n\n\n<li>3274585 [CVE-2023-25614] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework)<\/li>\n\n\n\n<li>3269118 [CVE-2023-24522] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework)<\/li>\n\n\n\n<li>3269151 [CVE-2023-24521] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (BSP Framework)<\/li>\n\n\n\n<li>3271227 [CVE-2023-23853] URL Redirection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform<\/li>\n\n\n\n<li>3268959 [Multiple CVEs] Multiple vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform<\/li>\n\n\n\n<li>3266751 [CVE-2023-23852] Cross-Site Scripting (XSS) vulnerability in SAP Solution Manager 7.2<\/li>\n\n\n\n<li>3265846 [CVE-2023-0024] Cross Site Scripting in SAP Solution Manager (BSP Application)<\/li>\n\n\n\n<li>3267442 [CVE-2023-0025] Cross Site Scripting in SAP Solution Manager (BSP Application)<\/li>\n\n\n\n<li>3270509 [CVE-2023-23855] URL Redirection vulnerability in SAP Solution Manager<\/li>\n\n\n\n<li>3263135 [CVE-2023-0020] Information disclosure vulnerability in SAP BusinessObjects Business Intelligence platform<\/li>\n\n\n\n<li>3263863 [CVE-2023-23856] Cross-Site Scripting (XSS) vulnerability in Web Intelligence Interface<\/li>\n\n\n\n<li>3262544 [CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>SAP Security Notes Patchday Juni 2023 Dieser Artikel ist eine Zusammenfassung \u00fcber die Inhalte und aktuellen Schwachstellen f\u00fcr SAP Systeme insbesondere Chromium Business Client, ABAP, HostAgent, Cross-Site Scripting, FIORI und NetWeaver<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_uag_custom_page_level_css":"","site-sidebar-layout":"right-sidebar","site-content-layout":"content-boxed-container","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5,11],"tags":[14,25,24,12,7,15],"class_list":["post-279","post","type-post","status-publish","format-standard","hentry","category-sap","category-sap-security-patch-day","tag-fiori","tag-java","tag-netweaver","tag-patchday","tag-sap","tag-xss"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false},"uagb_author_info":{"display_name":"BALTX","author_link":"https:\/\/techltx.com\/de\/author\/baltx-com\/"},"uagb_comment_info":0,"uagb_excerpt":"SAP Security Notes Patchday Juni 2023 Dieser Artikel ist eine Zusammenfassung \u00fcber die Inhalte und aktuellen Schwachstellen f\u00fcr SAP Systeme insbesondere Chromium Business Client, ABAP, HostAgent, Cross-Site Scripting, FIORI und NetWeaver","_links":{"self":[{"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/posts\/279","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/comments?post=279"}],"version-history":[{"count":2,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/posts\/279\/revisions"}],"predecessor-version":[{"id":474,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/posts\/279\/revisions\/474"}],"wp:attachment":[{"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/media?parent=279"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/categories?post=279"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/tags?post=279"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}