SAP Security Notes, August 2018
There were several high priority Security Notes released in August for vulnerabilities impacting multiple Business Intelligence applications. Note 2569748 patches an XML External Entity vulnerability in Crystal Reports for Enterprise. Note 2614229 deals with a memory corruption vulnerability in the BOBJ platform that can be triggered by a buffer overflow. Note 2644154 provides corrections for a SQL injection vulnerability in the BI Launchpad for Web Intelligence that could be exploited to read sensitive data.
A similar SQL injection vulnerability is addressed in the MaxDB database by note 2660005. The solution includes removing unnecessary privileges for DBM operators responsible for managing databases.
Notes 2655250 and 2155614 patch missing authorization checks in the MDM Catalog of Supplier Relationship Management (SRM) and components of ERP Sales and Distribution.
Note 2201710 includes instructions for responding to Logjam and similar vulnerabilities in SAP products using OpenSSL. Logjam involves downgrading vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. Note 2201710 adds protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits.