SAP Security Notes, November 2024
Note 3520281 patches a high priority Cross-Site Scripting (XSS) vulnerability in the SAP Web Dispatcher. The vulnerability can be exploited by attackers to execute arbitrary code and fully compromise Web Dispatcher installations. The vulnerability impacts users accessing the administration UI with a browser. The administration UI can be disabled as a workaround. This can be performed by deleting the content of directory /usr/sap/data/icmandir/admin/. The administration UI can also be deleted by removing icm/HTTP/admin_x parameters from the DEFAULT and instance profile and setting profile parameter icm/HTTP/admin_0 to an empty value. Another option is to remove administrative roles for all users. The admin role can be removed from users and replaced with the monitor role. The SAP Kernel and Web Dispatcher should be upgraded to required patch level for each version detailed in the note to fix the vulnerability. The correction will implement encoding to prevent a successful XSS attack.
Note 3483344 was updated with revised correction instructions to patch a high risk missing authorization check that could be exploited to escalate privileges in SAP PDCE. The note deactivates the vulnerable functions.
Note 3509619 patches a privilege escalation vulnerability in some versions of the SAP Host Agent installed in Unix platforms that enable attackers belonging to the sapsys group to replace local files usually protected by privileged access.
Note 3335394 resolves a missing authorization check in SAP NetWeaver AS Java that could lead to unauthorized access and changes to the System Landscape Directory (SLD).
Notes 3522953 and 3393899 deal with information disclosure vulnerabilities in the Software Update Manager and Logon Application of NetWeaver AS Java.