Category: Advisories

Note 3520281 patches a high priority Cross-Site Scripting (XSS) vulnerability in the SAP Web Dispatcher. The vulnerability can be exploited by attackers to execute arbitrary code and fully compromise Web Dispatcher installations. The vulnerability impacts users accessing the administration UI with a browser. The administration UI can be disabled as a workaround. This can be performed by deleting the content of directory /usr/sap/data/icmandir/admin/. The administration UI can also be deleted by removing icm/HTTP/admin_x parameters from the DEFAULT and instance profile and setting profile parameter icm/HTTP/admin_0 to an empty value. Another option is to remove administrative roles for all users. The admin role can be removed from users and replaced with the monitor role. The SAP Kernel and Web Dispatcher should be upgraded to required patch level for each version detailed in the note to fix the vulnerability. The correction will implement encoding to prevent a successful XSS attack.

Note 3483344 was updated with revised correction instructions to patch a high risk missing authorization check that could be exploited to escalate privileges in SAP PDCE. The note deactivates the vulnerable functions.

Note 3509619 patches a privilege escalation vulnerability in some versions of the SAP Host Agent installed in Unix platforms that enable attackers belonging to the sapsys group to replace local files usually protected by privileged access.

Note 3335394 resolves a missing authorization check in SAP NetWeaver AS Java that could lead to unauthorized access and changes to the System Landscape Directory (SLD).

Notes 3522953 and 3393899 deal with information disclosure vulnerabilities in the Software Update Manager and Logon Application of NetWeaver AS Java.

Hot news note 3479478 was updated for a critical missing authentication check in SAP BusinessObjects (BOBJ) Business Intelligence Platform. The vulnerability can be exploited to compromise logon tickets used for Single Sign-On. The update provides a fix for BOBJ 4.2 SP009. The notes includes details of a workaround that will disable trusted authentication in the Business Intelligence Platform Restful Web Services (BIPRWS) Web Application.

Note 3478615 patches a high-risk unrestricted file upload and malicious file execution vulnerability in BOBJ. In addition to applying the relevant support package patch detailed in the note, customers must create and maintain an access control list. The ACL should contain the list of folders that can contain personal data providers.

Note 3523541 addresses multiple vulnerabilities in Spring Framework and Log4j open-source libraries included in SAP Enterprise Project Connection. The patch included in the note updates the Spring framework and reload4j libraries to address the vulnerabilities.

Notes 3454858 and 3477359 deal with information disclosure vulnerabilities SAP NetWeaver Application Server (AS) ABAP and AS Java, respectively. The vulnerabilities could be exploited to access restricted file system information and usernames and passwords for new RFC destinations.

Note 3459935 was updated in September with revised solution details to patch a high priority information disclosure vulnerability in SAP Commerce Cloud. Some OCC API endpoints in SAP Commerce Cloud allow Personally Identifiable Information (PII) data, such as passwords, to be included in the request URL as query or path parameters. The impacted endpoints are detailed in the note. The note includes patches for both the cloud and on-premise editions. A workaround is also included in the note if the corrections can not be implemented within a reasonable timeframe.

Note 3505503 addresses a Cross-Site Scripting (XSS) vulnerability in the logon application of SAP NetWeaver Application Server (AS) Java. Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. The solution included in the note encodes parameters to address the vulnerability.

Notes 3501359 and 3498221 patch Cross-Site Scripting vulnerabilities in SAP CRM and SAP Enterprise Portal.

Note 3488039 deals with multiple missing authorizations in SAP NetWeaver Application Server (AS) ABAP and ABAP Platform. The authorizations impact function modules in function group SMTR_NAVIGATION_MODULES_BX. As a workaround, you may withdraw permission S_RFC with field RFC_TYPE with prefixed value for SMTR_NAVIGATION_MODULES_BX or field RFC_NAME with value of the function modules of the function group SMTR_NAVIGATION_MODULES_BX.

Hot news note 3477196 deals with a critical Server-Side Request Forgery (SSRF) vulnerability in applications built with SAP Build Apps. SAP Build Apps are vulnerable to CVE-2024-29415 due to the use of an older version of an Nodejs library included in software components for AppGyver. AppGyver is an open-source development platform used by SAP Build Apps. Applications should be rebuilt with version 4.11.130 or later in SAP Build Apps to address the vulnerability.

Hot news note 3479478 for CVE-2024-41730 patches a missing authentication check in SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability can be exploited by threat actors to compromise logon tickets used for single sign-on with a REST endpoint. The fix included in the note secures the default configuration of single sign-on enterprise authentication.

Note 3485284 addresses a high priority XML injection vulnerability in the Export Web Service of BEx Web Java Runtime in SAP Business Intelligence version 7.50. The issue is specific to PDF export only using Java ALV and ADS.

Note 3459935 fixes an information disclosure vulnerability in SAP Commerce Cloud that could lead to the leakage of Personally Identifiable Information (PII) data in query or path parameters. This includes passwords, email addresses, mobile numbers, coupon codes, and voucher codes. The vulnerability impacts specific API endpoints detailed in the note. A workaround is included in the note. Vulnerable endpoints should be replaced with the new secure variants detailed in the solution section of the note.

Note 3483344 addresses a high-risk missing authentication check in SAP Product Design Cost Estimation (PDCE), included in the S4CORE component of SAP S/4HANA. The vulnerability can be exploited to escalate privileges and read sensitive information. The correction included in the note deactivates the affected functions to remove the vulnerability. There is no workaround provided by SAP. The note applies to versions 102-103 of S4CORE and 104-108 of S4COREOP.

Note 3490515 patches a vulnerability in SAP Commerce which enables users to misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as an isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites. The issue materializes when both early login and registration are set to true. It does not affect setups that utilize classic accelerator storefronts and is specific to B2B scenarios. A workaround in the note includes steps for disabling early login and registration.

Note 3454858 addresses an information disclosure vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) and ABAP Platform. The note updates function module F4_DXFILENAME_TOPRECURSION to restrict access to the file system and prevent users from traversing to unauthorized directories.

Note 3456952 patches SAP NetWeaver AS ABAP and ABAP Platform to prevent developers bypassing an API configured for malware scanning using classes CL_HTTP_REQUEST and CL_HTTP_ENTITY.

Notes 3482217 and 3468681 address multiple cross-site scripting vulnerabilities in SAP Business Warehouse and SAP Knowledge Management, respectively.

Note 3460407 patches a high priority denial of service vulnerability in the Meta Model Repository of SAP NetWeaver Application Server Java (AS Java). The vulnerability impacts version 7.50 of the software component MMR_SERVER. There are no workarounds available.

Note 3457592 deals with reflected and stored cross-site scripting vulnerabilities SAP Financial Consolidation reported in CVE-2024-37177 and CVE-2024-37178. The note encodes URL parameters to prevent the exploitation of the vulnerabilities.

Note 3466175 patches an access control issue related to the management of incoming payment files in SAP S/4HANA that could lead to an escalation of privileges. The impacted versions of S4CORE are 102-108.

A similar vulnerability is patched by note 3465455 in SAP BW/4HANA. After applying the note, it will not be possible to execute arbitrary functions within SAP BW/4HANA Transformation and DTP. Only functions/methods explicitly defined in the allowlist mentioned in the manual correction instructions can be executed to avoid any misuse.

Note 3425571 fixes an information disclosure vulnerability in NetWeaver AS Java that could lead to the leakage of server information. A workaround is detailed in the note to disable the impacted caf~eu~gp~model~eap application in the Guided Procedures component of AS Java.

Hot news note 3448171 patches a critical file upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform. The correction delivered in the note changes the default configuration to prevent file uploads without signatures in the FILESYSTEM and SOMU_DB of the Content Repository. The workaround detailed in the note provides manual steps for applying the secure configuration using transaction OAC0.

Note 3455438 addresses CSS injection and remote code execution vulnerabilities in SAP CX Commerce. Swagger UI in CX Commerce is using is vulnerable to CVE-2019-17495 (CSS injection). This vulnerability enables the attackers to perform Relative Path Overwrite (RPO) in the CSS-based input fields. Apache Calcite Avatica 1.18.0 in CX Commerce is vulnerable to CVE-2022-36364 (Remote code execution). The note removes extensions that use Swagger UI. It also updates Avatica to a secure version.

Note 3431794 fixes a high-risk cross site scripting vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) Platform. BOBJ is vulnerable to stored XSS allowing an attacker to manipulate a parameter in the Opendocument URL. User input is sanitized by the correction delivered via the note to address the vulnerability.

Notes 3450286 and 3448445 addresses stored cross site scripting vulnerabilities in SAP NetWeaver AS ABAP that can lead to code injection and session hijacking due to insufficient encoding of URL parameters.

Note 2174651 patches an information disclosure vulnerability in the Integration Directory of SAP Process Integration (PI) that could enable attackers to discover sensitive information such as usernames and passwords.

Note 3434839 deals with a high-priority security misconfiguration in the User Management Engine of SAP NetWeaver AS Java. User passwords created using self-registration are not subject to password complexity requirements defined in UME settings. The misconfiguration impacts version 7.50 of AS Java. The password policy can be enforced by updating the impacted software components to the recommended versions specified in the note. Disabling user self-registration and the ability of users to modify their profiles is recommended a temporary workaround if the components cannot be upgraded in a reasonable timeframe.

Note 3421384 patches an information disclosure vulnerability in the Web Intelligence application of SAP BusinessObjects Business Intelligence that could enable attackers to access sensitive operating system information. The note includes support package patches to address the vulnerability. Since the vulnerability arises from the reading of arbitrary Excel files, a workaround can be applied by removing the service Excel Data Access from all Adaptive Processing Servers.

Note 3438234 addresses a directory traversal vulnerability in SAP Asset Accounting caused by insufficient validation of user-provided path information. The correction included in the note verifies the path information against logical filenames. The vulnerable programs RAALTE00 and RAALTD01 can be protected using authorization groups as a workaround.

Hot news note 3425274 deals with a critical code injection vulnerability in applications developed with SAP Build Apps. The note recommends rebuilding applications with version 4.9.145 or later.

Hot news note 3433192 patches a code injection vulnerability in the Administrator Log Viewer plug-in of SAP NetWeaver AS Java. The plug-in allows threat actors with the Administrator role to upload potentially dangerous files that could be exploited to run arbitrary commands. The corrections included in the note block the upload of dangerous file types and supports virus scanning for uploaded files.

Note 3414195 includes support package patches for SAP BusinessObjects Business Intelligence (BOBJ) version 4.3 SP02 – 05 to address a high-priority path traversal vulnerability in the Central Management Console. The vulnerability arises from a version of Apache Struts included in BOBJ which is vulnerable to CVE-2023-50164.

Note 3410615 corrects a Denial-of-Service vulnerability impacting SAP HANA XS. The DoS can be triggered by a high volume of HTTP/2 requests. The HTTP/1 protocol is not affected. A workaround can be applied by setting the Web Dispatcher parameter icm/HTTP/support_http2 to false to disable support for the HTTP/2 protocol.

Note 3346500 was updated with revised solution information for a high-risk authentication vulnerability in SAP Commerce Cloud. The solution changes the default value of the property user.password.acceptEmpty to false to prevent the use of empty passphrases for user authentication.

Hot news note 3420923 patches a critical code injection vulnerability in the Web Survey component of Application Basis. Prerequisite note 1110803 is required to apply the correction for versions 700-710 and note 1354949 is required for version 711. As a workaround, remote calls to function modules of CA-SUR can be restricted using authorization object S_RFC.

Note 3417627 addresses a high-risk cross-site scripting vulnerability in the User Admin Application of SAP NetWeaver Application Server Java (AS Java). The vulnerability is a side effect of improper encoding and validation introduced with note 3251396.

Note 3426111 secures an XML parser in the Guided Procedures component of AS Java to patch an XML External Entity (XXE) injection vulnerability. The vulnerability can be exploited by threat actors to read sensitive files. The note includes details of a workaround that requires disabling the vulnerable caf-eu-gp-model-iforms-eap application.

Notes 3424610 and 3410875 deal with broken authentication and cross-site scripting vulnerabilities in the SAP Cloud Connector and SAP CRM, respectively.