Category: Advisories

Hot news note 3537476 patches a critical vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) that enables attackers to exploit authentication weaknesses in the platform to compromise credentials in internal RFC communications and execute commands using the stolen credentials.  The vulnerability carries a CVSS base score of 9.9/10. The attack vectors to exploit the vulnerability are relatively non-complex and do not require any privileges in target SAP systems. The solution requires the implementation of a kernel patch. There are no workarounds for the vulnerability.

Hot news note 3550708 addresses an equally high-risk information disclosure vulnerability in NetWeaver AS ABAP. Attackers can exploit insufficient authentication in the Internet Communication Framework (ICF) to access restricted information. This can have a significant impact on confidentiality, integrity, and availability. The root cause of the vulnerability is the inclusion of a testing utility in NetWeaver AS ABAP that was not intended for customer delivery. The solution included in the note disables the execution of transaction SA38 by the impacted programs. Access to transaction SA38 can be restricted as a workaround.

Note 3550816 deals with a high-risk SQL injection vulnerability in NetWeaver AS ABAP. Attackers can exploit vulnerable RFC functions to access Informix databases. The solution deactivates the vulnerable functions. A workaround can be implemented to mitigate the vulnerability by restricting access to the execution of remote-enabled function modules in function group SDBI. This can be performed using authorization object S_RFC.  

Note 3474398 patches multiple vulnerabilities in SAP BusinessObjects Business Intelligence (BOBJ) Platform. This includes information disclosure that can lead to session hijacking, and code injection that can enable attackers to inject and execute malicious JavaScript code.

Note 3542533 resolves a DLL hijacking vulnerability in SAPSetup that could enable attackers to escalate privileges in Windows servers and compromise active directories. SAPSetup supports the installation, updating, and maintenance of SAP software in Microsoft Windows. The solution in the note fixes permissions for relevant temporary directories.

Hot news note 3536965 addresses multiple high risk vulnerabilities in Adobe Document Services (ADS) of SAP NetWeaver Application Server for JAVA (AS Java). This includes vulnerabilities for Server-Side Request Forgery (SSRF) and information disclosure. ADS should be updated to the recommended patch levels detailed in the note. There are no workarounds provided by SAP.

Note 3542543 deals with a SSRF vulnerability in the NetWeaver Administrator of AS Java. The vulnerability is caused by insufficient authentication checks for a specific servlet. The note includes details for disabling the servlet as a workaround.

Note 3520281 was re-released with updated information for a cross-site scripting vulnerability in SAP Web Dispatcher. The note includes several workarounds if Web Dispatchers and Kernels cannot be upgraded to the recommended patch levels within a reasonable timeframe.

Note 3469791 patches an information disclosure vulnerability that could lead to the compromise of credentials for RFC destinations in SAP NetWeaver Application Server ABAP (AS ABAP). The vulnerability can be mitigated by setting profile parameter rfc/dynamic_dest_api_only to the value 1. This will deactivate the legacy dynamic destination.

Finally, note 3504390 addresses a NULL Pointer Dereference (NPD) vulnerability in AS ABAP that can be exploited by attackers to trigger a denial of service.

Note 3520281 patches a high priority Cross-Site Scripting (XSS) vulnerability in the SAP Web Dispatcher. The vulnerability can be exploited by attackers to execute arbitrary code and fully compromise Web Dispatcher installations. The vulnerability impacts users accessing the administration UI with a browser. The administration UI can be disabled as a workaround. This can be performed by deleting the content of directory /usr/sap/data/icmandir/admin/. The administration UI can also be deleted by removing icm/HTTP/admin_x parameters from the DEFAULT and instance profile and setting profile parameter icm/HTTP/admin_0 to an empty value. Another option is to remove administrative roles for all users. The admin role can be removed from users and replaced with the monitor role. The SAP Kernel and Web Dispatcher should be upgraded to required patch level for each version detailed in the note to fix the vulnerability. The correction will implement encoding to prevent a successful XSS attack.

Note 3483344 was updated with revised correction instructions to patch a high risk missing authorization check that could be exploited to escalate privileges in SAP PDCE. The note deactivates the vulnerable functions.

Note 3509619 patches a privilege escalation vulnerability in some versions of the SAP Host Agent installed in Unix platforms that enable attackers belonging to the sapsys group to replace local files usually protected by privileged access.

Note 3335394 resolves a missing authorization check in SAP NetWeaver AS Java that could lead to unauthorized access and changes to the System Landscape Directory (SLD).

Notes 3522953 and 3393899 deal with information disclosure vulnerabilities in the Software Update Manager and Logon Application of NetWeaver AS Java.

Hot news note 3479478 was updated for a critical missing authentication check in SAP BusinessObjects (BOBJ) Business Intelligence Platform. The vulnerability can be exploited to compromise logon tickets used for Single Sign-On. The update provides a fix for BOBJ 4.2 SP009. The notes includes details of a workaround that will disable trusted authentication in the Business Intelligence Platform Restful Web Services (BIPRWS) Web Application.

Note 3478615 patches a high-risk unrestricted file upload and malicious file execution vulnerability in BOBJ. In addition to applying the relevant support package patch detailed in the note, customers must create and maintain an access control list. The ACL should contain the list of folders that can contain personal data providers.

Note 3523541 addresses multiple vulnerabilities in Spring Framework and Log4j open-source libraries included in SAP Enterprise Project Connection. The patch included in the note updates the Spring framework and reload4j libraries to address the vulnerabilities.

Notes 3454858 and 3477359 deal with information disclosure vulnerabilities SAP NetWeaver Application Server (AS) ABAP and AS Java, respectively. The vulnerabilities could be exploited to access restricted file system information and usernames and passwords for new RFC destinations.

Note 3459935 was updated in September with revised solution details to patch a high priority information disclosure vulnerability in SAP Commerce Cloud. Some OCC API endpoints in SAP Commerce Cloud allow Personally Identifiable Information (PII) data, such as passwords, to be included in the request URL as query or path parameters. The impacted endpoints are detailed in the note. The note includes patches for both the cloud and on-premise editions. A workaround is also included in the note if the corrections can not be implemented within a reasonable timeframe.

Note 3505503 addresses a Cross-Site Scripting (XSS) vulnerability in the logon application of SAP NetWeaver Application Server (AS) Java. Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. The solution included in the note encodes parameters to address the vulnerability.

Notes 3501359 and 3498221 patch Cross-Site Scripting vulnerabilities in SAP CRM and SAP Enterprise Portal.

Note 3488039 deals with multiple missing authorizations in SAP NetWeaver Application Server (AS) ABAP and ABAP Platform. The authorizations impact function modules in function group SMTR_NAVIGATION_MODULES_BX. As a workaround, you may withdraw permission S_RFC with field RFC_TYPE with prefixed value for SMTR_NAVIGATION_MODULES_BX or field RFC_NAME with value of the function modules of the function group SMTR_NAVIGATION_MODULES_BX.

Hot news note 3477196 deals with a critical Server-Side Request Forgery (SSRF) vulnerability in applications built with SAP Build Apps. SAP Build Apps are vulnerable to CVE-2024-29415 due to the use of an older version of an Nodejs library included in software components for AppGyver. AppGyver is an open-source development platform used by SAP Build Apps. Applications should be rebuilt with version 4.11.130 or later in SAP Build Apps to address the vulnerability.

Hot news note 3479478 for CVE-2024-41730 patches a missing authentication check in SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability can be exploited by threat actors to compromise logon tickets used for single sign-on with a REST endpoint. The fix included in the note secures the default configuration of single sign-on enterprise authentication.

Note 3485284 addresses a high priority XML injection vulnerability in the Export Web Service of BEx Web Java Runtime in SAP Business Intelligence version 7.50. The issue is specific to PDF export only using Java ALV and ADS.

Note 3459935 fixes an information disclosure vulnerability in SAP Commerce Cloud that could lead to the leakage of Personally Identifiable Information (PII) data in query or path parameters. This includes passwords, email addresses, mobile numbers, coupon codes, and voucher codes. The vulnerability impacts specific API endpoints detailed in the note. A workaround is included in the note. Vulnerable endpoints should be replaced with the new secure variants detailed in the solution section of the note.

Note 3483344 addresses a high-risk missing authentication check in SAP Product Design Cost Estimation (PDCE), included in the S4CORE component of SAP S/4HANA. The vulnerability can be exploited to escalate privileges and read sensitive information. The correction included in the note deactivates the affected functions to remove the vulnerability. There is no workaround provided by SAP. The note applies to versions 102-103 of S4CORE and 104-108 of S4COREOP.

Note 3490515 patches a vulnerability in SAP Commerce which enables users to misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as an isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites. The issue materializes when both early login and registration are set to true. It does not affect setups that utilize classic accelerator storefronts and is specific to B2B scenarios. A workaround in the note includes steps for disabling early login and registration.

Note 3454858 addresses an information disclosure vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) and ABAP Platform. The note updates function module F4_DXFILENAME_TOPRECURSION to restrict access to the file system and prevent users from traversing to unauthorized directories.

Note 3456952 patches SAP NetWeaver AS ABAP and ABAP Platform to prevent developers bypassing an API configured for malware scanning using classes CL_HTTP_REQUEST and CL_HTTP_ENTITY.

Notes 3482217 and 3468681 address multiple cross-site scripting vulnerabilities in SAP Business Warehouse and SAP Knowledge Management, respectively.

Note 3460407 patches a high priority denial of service vulnerability in the Meta Model Repository of SAP NetWeaver Application Server Java (AS Java). The vulnerability impacts version 7.50 of the software component MMR_SERVER. There are no workarounds available.

Note 3457592 deals with reflected and stored cross-site scripting vulnerabilities SAP Financial Consolidation reported in CVE-2024-37177 and CVE-2024-37178. The note encodes URL parameters to prevent the exploitation of the vulnerabilities.

Note 3466175 patches an access control issue related to the management of incoming payment files in SAP S/4HANA that could lead to an escalation of privileges. The impacted versions of S4CORE are 102-108.

A similar vulnerability is patched by note 3465455 in SAP BW/4HANA. After applying the note, it will not be possible to execute arbitrary functions within SAP BW/4HANA Transformation and DTP. Only functions/methods explicitly defined in the allowlist mentioned in the manual correction instructions can be executed to avoid any misuse.

Note 3425571 fixes an information disclosure vulnerability in NetWeaver AS Java that could lead to the leakage of server information. A workaround is detailed in the note to disable the impacted caf~eu~gp~model~eap application in the Guided Procedures component of AS Java.

Hot news note 3448171 patches a critical file upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform. The correction delivered in the note changes the default configuration to prevent file uploads without signatures in the FILESYSTEM and SOMU_DB of the Content Repository. The workaround detailed in the note provides manual steps for applying the secure configuration using transaction OAC0.

Note 3455438 addresses CSS injection and remote code execution vulnerabilities in SAP CX Commerce. Swagger UI in CX Commerce is using is vulnerable to CVE-2019-17495 (CSS injection). This vulnerability enables the attackers to perform Relative Path Overwrite (RPO) in the CSS-based input fields. Apache Calcite Avatica 1.18.0 in CX Commerce is vulnerable to CVE-2022-36364 (Remote code execution). The note removes extensions that use Swagger UI. It also updates Avatica to a secure version.

Note 3431794 fixes a high-risk cross site scripting vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) Platform. BOBJ is vulnerable to stored XSS allowing an attacker to manipulate a parameter in the Opendocument URL. User input is sanitized by the correction delivered via the note to address the vulnerability.

Notes 3450286 and 3448445 addresses stored cross site scripting vulnerabilities in SAP NetWeaver AS ABAP that can lead to code injection and session hijacking due to insufficient encoding of URL parameters.

Note 2174651 patches an information disclosure vulnerability in the Integration Directory of SAP Process Integration (PI) that could enable attackers to discover sensitive information such as usernames and passwords.

Note 3434839 deals with a high-priority security misconfiguration in the User Management Engine of SAP NetWeaver AS Java. User passwords created using self-registration are not subject to password complexity requirements defined in UME settings. The misconfiguration impacts version 7.50 of AS Java. The password policy can be enforced by updating the impacted software components to the recommended versions specified in the note. Disabling user self-registration and the ability of users to modify their profiles is recommended a temporary workaround if the components cannot be upgraded in a reasonable timeframe.

Note 3421384 patches an information disclosure vulnerability in the Web Intelligence application of SAP BusinessObjects Business Intelligence that could enable attackers to access sensitive operating system information. The note includes support package patches to address the vulnerability. Since the vulnerability arises from the reading of arbitrary Excel files, a workaround can be applied by removing the service Excel Data Access from all Adaptive Processing Servers.

Note 3438234 addresses a directory traversal vulnerability in SAP Asset Accounting caused by insufficient validation of user-provided path information. The correction included in the note verifies the path information against logical filenames. The vulnerable programs RAALTE00 and RAALTD01 can be protected using authorization groups as a workaround.