SAP Security Notes, December 2020
Hot News note 2983367 patches a severe OS command injection vulnerability in SAP Business Warehouse Master Data Management (MDM) and BW4HANA. For release 7.30, the note binds the execution of the affected function module to a hard coded report and legitimate users. For release 7.40 and higher, the note removes the vulnerable function altogether.
Note 2974774 deals with a missing authentication check in P2P Cluster Communication within SAP NetWeaver Application Server Java (AS Java). P2P Cluster Communication supports message exchange between server nodes within a cluster. The note provides a correction to prevent connections from outside the cluster that could be abused to perform administrative functions including system shutdowns. As a workaround, the message server access control list can be modified to allow P2P connections from only trusted IP addresses. Also, network firewall rules can be used to block external access to the P2P port.
Hot News note 2979062 includes an update for a critical privilege escalation vulnerability in the UDDI server of AS Java. The vulnerability can be exploited to completely compromise the confidentiality, integrity and availability of the server OS. The update provides fixes for version SR UI 7.40, SP 017 & SR UI 7.31, SP 022.