SAP Security Notes

Hot news notes 3267780 and 3273480 patch critical broken authentication vulnerabilities in SAP NetWeaver Application Server Java (AS Java). Threat actors can exploit the vulnerabilities to attach to an open interface exposed through JNDI by the Messaging System and User Defined Search (UDS) of SAP NetWeaver AS Java. Once attached, they can make use of …

Hot news note 3243924 for CVE-2022-41203 patches a critical vulnerability related to insecure deserialization of untrusted data in the Central Management Console (CMC) and BI Launchpad of SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability impacts versions 4.2 and 4.3 of BOBJ and can be exploited by threat actors to bypass authentication, inject malicious code, …

Hot news note 3239152 patches a critical URL redirection vulnerability in SAP Commerce Cloud. The vulnerability can be exploited to manipulate URLs and redirect users to logon pages controlled by threat actors. User submissions served by attacker-controlled servers can be used to steal logon credentials and hijack accounts. Note 3239152 includes a fix for specific …

Note 3237075 patches a high priority vulnerability in SAP GRC Access Control that could be exploited by attackers to access Firefighter sessions even after they are closed in the Firefighter Logon Pad. Firefighter IDs are dedicated user identities with elevated privileges that are activated when required and controlled through Emergency Access Management (EAM) in SAP …

Note 3102769 was rereleased in August with updated solution information. The workaround detailed in the original note has been moved to the new note 3221696. The workaround provides steps for deactivating the SAP IKS component to address a high priority cross-site scripting (XSS) vulnerability in SAP Knowledge Warehouse. Note 3150454 was also updated to enforce …

There were several high priority security notes released in July for multiple vulnerabilities in SAP Business One. Note 3212997 patches an information disclosure issue that arises during the integration between Business One and SAP HANA. The vulnerability can be exploited to access privileged account credentials through the HANA cockpit’s data volume. Customers can switch from …

Note 3158375 patches a high priority vulnerability in the SAProuter that can be exploited by attackers to execute administration commands from remote clients. The SAProuter is designed to accept administration commands from local clients only. However, this restriction can be bypassed in installations with specific entries in the saprouttab, the root permission table for the …

Hot news note 3165801 patches a critical missing authorization check in SAP NetWeaver Application Server ABAP. The notes introduces an authorization check for object S_OC_SEND to prevent the transmission of the contents of ABAP list output from the System Menu via e-mail. The note impacts all versions of SAP_BASIS from 700 to 788. Notes 2756188 …

The central note 3170990 consolidates security notes for the critical Spring4Shell vulnerability. Spring4Shell is addressed by CVE-2022-22965. This is related to a remote code execution vulnerability in the open-source Java Spring Framework. Successful exploitation requires Apache Tomcat for serving applications built as a WAR file. Notes 3189428, 3187290, 3189429, 3189635 and 3171258 patch Sping4Shell in …

Note 3123396 patches SAP NetWeaver Application Server ABAP and the Web Dispatcher for CVE-2022-22536. This is related to the ICMAD (Internet Communication Manager Advanced Desync) vulnerability that was the subject of alerts from multiple threat intelligence agencies including CISA and CERT-EU. ICMAD is a memory corruption vulnerability that can be exploited through a single HTTP …

The central note 3131047 was updated with the addition of security notes 3142773 and 3139893 for the critical remote code execution vulnerability in the Apache Log4J 2 component. The new notes patch Log4Shell in SAP Commerce and SAP Dynamic Authorization Management and include manual procedures to apply both patches and workarounds. Note 3140940 patches a …

Multiple Hot News notes were released in January as part of SAP’s continued efforts to patch solutions impacted by the critical Log4Shell vulnerability. This includes Process Orchestration (note 3130521), Data Intelligence (3130920) and Business One (3131740). The central note 3131047 consolidates patches for the remote code execution vulnerability in the vulnerable Apache Log4j 2 component. …

The central security note 3131047 consolidates Log4Shell patches for SAP products. Log4JShell is regarded as one of the most dangerous security vulnerabilities in decades. It can be exploited remotely with minimal complexity and without authentication to execute arbitrary code that could lead to the complete compromise of vulnerable applications. Log4Shell impacts Log4J, a widely installed …

Hot news note 3089831 was updated for a SQL Injection vulnerability in SAP NZDT Mapping Table Framework. SAP NZDT (Near Zero Downtime Technology) is a service that supports system conversion with minimal downtime. The vulnerability could enable attackers to access backend databases by executing malicious queries or inject code through vulnerable NZDT function modules. The …

Hot News note 3097887 patches a broken authorization check in SAP NetWeaver AS ABAP and ABAP Platform. The vulnerability could be exploited by attackers with developer or administrator rights to transfer malicious code to vulnerable systems. This can be performed via a LEAVE PROGRAM statement in a specific report within the software logistics system. Note …

Hot news note 3078609 patches a missing authorization check in the JMS Connector Service of SAP NetWeaver Application Server for Java. The vulnerability could be exploited to execute arbitrary code in the system remotely and without authentication. Hence, the note carries the maximum CVSS score of 10/10. A fix is included in the note but …

Hot news note 3072955 patches a Server Side Request Forgery (SSRF) vulnerability in the Component Build Service of SAP NetWeaver Development Infrastructure (NWDI). The Component Build Service includes a vulnerable servlet that could be targeted to perform proxy attacks. The vulnerability has a CVSS score of 9.9/10 for NWDI installations exposed to the internet. The …

Hot News Note 3007182 contains updated corrections for a broken authentication vulnerability in the SAP NetWeaver AS ABAP and ABAP Platform. The corrections improve the ability to distinguish between internal and external RFC and HTTP connections. This protects against external threat actors using credentials for internal communications.  Note 3007182 includes kernel patches for multiple kernel …

Hot News note 3040210 patches a critical remote code execution vulnerability in Source Rules of SAP Commerce. The vulnerability affects both on-premise installations of SAP Commerce and SAP Commerce Cloud in the Public Cloud. SAP Commerce Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to …

Note 3046610 patches a high priority code injection vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP). Program RDDPUTJR may be executed by attackers to inject malicious code.  The note replaces the code of the report with an exit statement. The program can be deleted by the support packages included in the note.  Access to …

Hot news note 2999854 was updated in April for a critical code injection vulnerability in SAP Business Warehouse and SAP BW/4HANA. BW and BW/4HANA allow a low privileged attacker to inject malicious code using a remote enabled function module over the network. Due to a lack of input validation, users granted RFC access to execute …

Hot news note 3022622 patches a critical code injection vulnerability in SAP Manufacturing Integration and Intelligence (MII). SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment). Attackers can target this feature to inject malicious JSP code that include OS commands. The code and commands are …

Hot News note 3014121 patches a critical remote code execution vulnerability in SAP Commerce. The Backoffice application in SAP Commerce enables certain users with required privileges to edit drools rules. An authenticated attacker with this privilege is able to inject malicious code in the drools rules, enabling the attacker to compromise the SAP host. This …

Hot News note 2983367 corrects a code injection vulnerability in Master Data Management in SAP Business Warehouse and SAP BW4HANA. The vulnerability could be exploited to execute privileged OS commands. The correction introduces a hard coded report name which can only be executed by a legitimate user in release 7.30. The note removes the impacted …