A note with CVSS 9.9 for component BI-RA-AWB was released by SAP on 10.01.2023. The correction/advisory 3262810 was described with "[CVE-2023-0022] Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP)" and affects the system type BI/BO platform.
A workaround exists, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is code injection within BI/BO platform.
Risk specificationSAP BusinessObjects Business Intelligence platform (Analysis for OLAP) allows an authenticated attacker to inject code through deserialization of malicious payloads.
Analysis edition for OLAP has been extended with additional allow list checks to prevent deserialization of malicious payload. Although an alternative solution exists, it is advisable to apply the correction! This is the workaround, which was suggested by the SAP security experts: "Removing, stopping or disabling Multidimensional Analysis Service is only option to prevent risk until official correction is installed.- It will not be possible anymore to create or open an Analysis edition for OLAP Workspace.- Managing OLAP Connections in Central Management Console will also be impossible.Operation can be executed in Central Management Console:1. Open Central Management Console in a browser:2. Go to "Servers" page3. Find list of Adaptive Processing Servers which host service "Multidimensional Analysis Service"4. Decide if this service can be removed, or else Adaptive Processing Server can be disabled or shut down".
SAP BusinessObjects Business Intelligence suite is an analytics platform allowing SAP customers to make better decisions based on their business data. SAP BI is a module meant for producing business insights and expands its power in combination with HANA DB and also exists as BW/4 HANA. Due to processing sensitive business data, the Data security is of utmost importance.
The advisory is valid for
- ENTERPRISE 420 74
- ENTERPRISE 430 60
- 8.8 [CVE-2023-27893] Arbitrary Code Execution in SAP Solution Manager and ABAP managed systems (ST-PI)
- 7.0 [CVE-2022-41211] Arbitrary Code Execution vulnerability in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise Viewer
- 6.4 [CVE-2023-0012] Local Privilege Escalation in SAP Host Agent (Windows)
- 5.4 [CVE-2023-23851] Unrestricted File Upload in SAP Business Planning and Consolidation