On 10.01.2023 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within Kernel / ABAP.
SAP Note 3089413 addresses "[CVE-2023-0014] Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform" to prevent insufficient security function with a hot news risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as project, the team suggests.
Risk specificationSAP NetWeaver ABAP Server and ABAP Platform do not create information about system identity in an unambiguous format. Malicious users may exploit this to obtain illegitimate access to the system.
By this correction the system identification becomes unique and the system identification will be used and evaluated correctly in trusted-trusting communication scenarios. Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "There is no complete workaround. But the attack surface can be reduced by:Use encryption (HTTPS, SNC)Give no authorizations for direct table access to table RFCSYSACL,Activate database logging for table RFCSYSACL and check the log periodically.Restrict access to systems, network and network intermediates where trusted/trusting is used. ".
The advisory is valid for
- KERNEL 7.22 15
- KERNEL 7.53 22
- KERNEL 7.77 21
- KERNEL 7.81 20
- KERNEL 7.85 13
- KERNEL 7.89 3
- KRNL64NUC 7.22 20
- KRNL64NUC 7.22EXT 20
- KRNL64UC 7.22 20
- KRNL64UC 7.22EXT 20
- KRNL64UC 7.53 21
- SAP_BASIS 700-702 37
- SAP_BASIS 710-711 19
- SAP_BASIS 730 32
- SAP_BASIS 731 46
- SAP_BASIS 740 47
- SAP_BASIS 750-757 8
- 8.5 [CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation
- 6.7 [CVE-2022-35295] Privilege Escalation Vulnerability in SAPOSCOL on Unix
- 6.5 Information Disclosure vulnerability in SAP Business Client
- 6.3 [CVE-2021-21472] Server password not set during installation of SAP NetWeaver Master Data Management 7.1
- 5.4 [CVE-2020-6178] Insufficient session expiration in SAP Enable Now Manager