SAP Security Notes, September 2018
Note 2681207 patches a high-risk missing XML validation vulnerability in Extended Application Services (XS) in SAP HANA. The OData parser in HANA XS does not sufficiently validate XML input from users. This can lead to the processing of malicious code that could provoke a denial of service in the database server. The vulnerability can be exploited if applications using OData services are enabled on HANA XS. If authentication is not enforced for an enabled application using OData, an anonymous attacker can exploit the vulnerability. The attacker needs network access to the HTTP/HTTPs port of the SAP HANA database XS engine classic model. The vulnerability can be fixed by applying the software packages listed in note 2681207. Alternatively, you can limit network access to the XS classic server running in the tenant databases of a multitenant system. The default port range is 30040 – 30997. It is also recommended to enforce authentication for applications using OData services via HANA XS.
Note 2644279 deals with a similar high-risk missing XML validation vulnerability in a component of the BEx Web Java Runtime in Business Warehouse. The issue is specific to PDF ALV Export.
Note 2392860 removes transaction ZPTTNO_TIME from the standard roles SAP_PS_RM_PRO_ADMIN and SAP_PS_ RM_PRO_REVIEWER in SAP CRM Case Management. The transaction could be abused to escalate privileges.
Other high priority notes include note 2670284 which updates logging functions in Crystal Reports and Business One for HANA to prevent the disclosure of sensitive information, and note 2449974 which introduces authorization check V_VBKA_VKO for specific Sales Support APIs in ECC Sales and Distribution.