Advisory
A note with CVSS 7.6 for component BI-BIP-INS was released by SAP on 08.08.2023. The correction/advisory 3317710 was described with "[CVE-2023-37490] Binary hijack in SAP BusinessObjects Business Intelligence Suite (installer)" and affects the system type BI/BO platform.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is code injection within BI/BO platform.
Risk specification
SAP Business Objects Installers allows an authenticated attacker within the network to overwrite an executable file created in a temporary directory during installation. On replacing this executable with a malicious file, an attacker can completely compromise the system's confidentiality, integrity, and availability.Solution
User rights checks are now handled properly to prevent this type of attack.
Affected System
SAP BusinessObjects Business Intelligence suite is an analytics platform allowing SAP customers to make better decisions based on their business data. SAP BI is a module meant for producing business insights and expands its power in combination with HANA DB and also exists as BW/4 HANA. Due to processing sensitive business data, the Data security is of utmost importance.
The advisory is valid for
- ENTERPRISE 420 87
- ENTERPRISE 430 75
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP BTP Cloud Foundry
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP HANA XSA
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in XSA Cockpit
- 10.0 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Edge Services On Premise Edition
