SAP Security Notes, September 2020
Hot News note 2958563 patches a critical code injection vulnerability in SAP Business Warehouse. The vulnerability targets specific function modules to assume complete control of BW including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It impacts BW releases up to 7.40 running on SAP Adaptive Server Enterprise (ASE) 15.7 and 16.0. BW installations running on other database platforms are not impacted.
Note 2961991 patches SAP Marketing by blocking the ability of authenticated attackers to invoke certain functions in the vulnerable Mobile Channel Servlet. The fix will block unwanted URLs via web.xml and scan the payloads of /$batch requests. The workaround in note 2962970 can provide an interim fix if note 2961991 cannot be immediately implemented.
Note 2941667 includes updated correction instructions for an OS command injection vulnerability in NetWeaver AS ABAP. The note impacts the batch input recorder report RSBDCREC when executed outside the context of transaction SHDB.
Notes 2902456 and 2912939 are also updated for a privilege escalation vulnerability in SAP Landscape Management and a Server Side Request Forgery vulnerability in AS ABAP, respectively.