SAP Security Notes, September 2023
Hot news notes 3245526 and 3320355 patch critical code injection and information disclosure vulnerabilities in SAP BusinessObjects Intelligence Platform (BOBJ). Note 3245526 was re-released in September with updated support package and patch level details. The note patches a command injection vulnerability that can be exploited to escalate privileges in the platform. The vulnerability impacts the Enterprise component in BOBJ versions 4.2 and 4.3.
Note 3320355 removes sensitive information in responses from Promotion Management in BOBJ to clients in order to prevent information disclosure that could lead to the complete compromise of the application. Attackers require access to the promotion job folder for exploitation of the vulnerability. A temporary workaround can be applied by removing rights to the folder from users that do not require access.
Note 3370490 addresses a high-priority cross-site scripting vulnerability in the BOBJ Web Intelligence HTML interface. Due to insufficient file type validation, the Web Intelligence HTML interface allows a report creator to upload files from the local system into a report over the network. When uploading an image file, an authenticated attacker could intercept the request, modify the content type and the extension to read and modify sensitive data. The solution included in note 3370490 patches the vulnerability by blocking unauthorized file types.
Note 3327896 removes a high-risk buffer overflow vulnerability in the SAP Common Crypto Library that could be exploited to trigger a denial of service. A manipulated data package with a corrupted SNC NAME ASN.1 structure can lead to a parser error and crash the application. Customers should upgrade to CommonCryptoLib to 8.5.49 or higher.