SAP Issues Critical Patch for CVE-2023-28761, Amplifying Other Vulnerabilities
SAP has issued a critical security patch for the vulnerability CVE-2023-28761, discovered by Pablo Artuso from Onapsis Research Labs. This patch addresses a MEDIUM criticality issue that can significantly amplify the impact of other vulnerabilities when chained together.
The vulnerability, part of the 'P4CHAINS' family identified by Onapsis Research Labs, has a CVSS v3 rating of 6.5. It allows remote unauthenticated attackers to exploit other, already patched vulnerabilities, making them remotely accessible via HTTP. This can have a critical impact on the system, even if the original vulnerabilities were not internet-accessible.
Organizations are urged to apply the patch promptly and across all applications to protect against such exploit chains. Timely threat intelligence is crucial for risk prioritization, as the combined risk from these vulnerabilities is greater than the sum of their individual impacts. CVSS ratings should not be the sole guide for decision-making, as demonstrated by this case.
SAP's recent patch addresses a significant vulnerability that can exacerbate the impact of other security issues. Organizations must stay informed about emerging threats and apply patches promptly and comprehensively to mitigate risks effectively.
