SAP Security Notes, January 2020
Note 2822074 patches a missing authorization check in the Business Object Repository (BOR) of SAP NetWeaver Application Server ABAP. The note introduces the switchable authorization check objects S_BOR_RFC and S_BOR_PRX to supplement the generic S_RFC authorization. The new objects should be activated using transaction SACF to secure remote access to BOR. Note 2844646 is a prerequisite for note 2822074 and therefore should be implemented in advance. The report SWO_RFC_AUTH_CHECK_STATE can be executed after the note is applied to check the activation of the checks.
Note 2142551 is re-released with updated correction instructions for implementing whitelists to protect against clickjacking attacks in AS ABAP. Standard protective measures against clickjacking, including the X-Frame-Options HTTP response header, are not suitable for common NetWeaver integration scenarios. Therefore, SAP provides a whitelist-based framework for NetWeaver technologies. The framework and its implementation are described in SAP Note 2319727.
Note 2848498 provides a kernel patch to remove a Denial of service (DOS) vulnerability in the Internet Communication Manager (ICM). Attackers can exploit the vulnerability to crash the ICM by sending specially crafted packets to the IIOP or P4 service that lead to a buffer overflow. The corrections in note 2848498 will support the detection and prevention of the buffer overflow.