Category: Advisories

Hot news 3581961 patches a critical command injection vulnerability in SAP S/4HANA. Attackers can exploit a vulnerable remote-enabled function module using RFC to create a backdoor that bypasses authorization checks and provides full administrative access to the system. All releases of S/4HANA on-premise and private cloud are impacted. Corrections are included in the support package referenced in the note for the S4CORE software component.

The vulnerability also impacts standalone SAP Landscape Transformation installations with the DMIS software component. Note 3587115 includes support packages for the relevant DMIS versions.

Hot news note 3572688 addresses a vulnerability that enables attackers to bypass authentication mechanisms to compromise the Admin account in SAP Financial Consolidation. The account is primarily used for initial installation and configuration, supporting system and user administration.

Note 3525794 deals with a high priority information disclosure vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) that could lead to the leakage of passphrases for user authentication. The support packages included in the note remove access to passphrases from users. A workaround is also included in the note that involves disabling Trusted Authentication in the BOBJ Central Management Console.

Note 3554667 also addresses a high-risk information disclosure vulnerability. Attackers can discover credentials for RFC destinations in SAP NetWeaver AS ABAP using specific RFC calls. The kernel patches included in the note apply the required validation for dynamic destinations to fix the vulnerability. The vulnerability can also be addressed by disabling dynamic RFC destinations using the value setting 1 for profile parameter rfc/dynamic_dest_api_only.

Note 3563927 addresses a high-risk missing authorization check in SAP NetWeaver Application Server ABAP (AS ABAP) that could lead to an escalation of privileges. The correction included in the note restricts the ability to execute development functions using transaction SA38 from the ABAP Class Builder. SA38 enables program execution in AS ABAP. Authorization object S_PROGRAM is used to restrict access to programs executed using the transaction. The restriction is based on authorization groups. Therefore, programs must be assigned to authorization groups in order to apply restrictions. The Class Builder is used to create, maintain and test classes for ABAP objects, attributes and methods.

Note 3569602 patches a Cross-Site Scripting (XSS) vulnerability in SAP Commerce. The vulnerability arises from insufficient input validation in an open-source library included in SAP Commerce. The note includes a workaround that details steps for removing the use of the vulnerable component or blocking access to the component using network or host firewalls.

Vulnerabilities in open-source components also impact SAP Commerce Cloud. The vulnerabilities are addressed in note 3566851. SAP Commerce Cloud uses a version of Apache Tomcat that is vulnerable to Denial of Service (CVE-2024-38286) and unchecked error conditions (CVE-2024-52316).

Note 3567974 deals with an authentication bypass vulnerability that could be exploited using code injection in SAP Approuter. All SAP Approuter deployments in BTP are affected. SAP recommends updating deployments to version 16.7.2 or higher.

Note 3483344 was updated for components supporting PDCE in S/4HANA that are vulnerable to a missing authentication check. The components include S4CORE, S4COREOP and SEM-BW.

Note 3417627 was updated in February to patch a high-risk cross-site scripting  vulnerability in the User Admin application of SAP NetWeaver AS Java. The vulnerability is to due to insufficient input validation and improper encoding. This allows an unauthenticated attacker to craft links containing malicious scripts. When a victim clicks on such a link, the script executes in the victim’s browser, potentially leading to unauthorized access or modification of sensitive information. Note 3557138 provides updated corrections to address the vulnerability.

Note 3525794 deals with an information disclosure vulnerability in the Central Management Console of the SAP BusinessObjects Business Intelligence platform. Attackers with administrative rights can generate or retrieve a secret passphrase, enabling them to impersonate any user in the system. The correction in the note removes the ability of administrators to access passphrases.

Note 3567551 resolves a path traversal vulnerability in the Master Data Management Catalog of SAP Supplier Relationship Management. The correction in the note sanitizes the triggered Input URL path and prevents attackers from downloading arbitrary files from remote systems.

Note 3563929 patches a Open Redirect Vulnerability in SAP HANA extended application services. The User Account and Authentication service (UAA) for SAP HANA extended application services, advanced model (SAP HANA XS advanced model) allows an unauthenticated attacker to craft a malicious link, that, when clicked by a victim, redirects the browser to a malicious site due to insufficient redirect URL validation. The note applies validation of redirect URLs to prevent exploitation.

Hot news note 3537476 patches a critical vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) that enables attackers to exploit authentication weaknesses in the platform to compromise credentials in internal RFC communications and execute commands using the stolen credentials.  The vulnerability carries a CVSS base score of 9.9/10. The attack vectors to exploit the vulnerability are relatively non-complex and do not require any privileges in target SAP systems. The solution requires the implementation of a kernel patch. There are no workarounds for the vulnerability.

Hot news note 3550708 addresses an equally high-risk information disclosure vulnerability in NetWeaver AS ABAP. Attackers can exploit insufficient authentication in the Internet Communication Framework (ICF) to access restricted information. This can have a significant impact on confidentiality, integrity, and availability. The root cause of the vulnerability is the inclusion of a testing utility in NetWeaver AS ABAP that was not intended for customer delivery. The solution included in the note disables the execution of transaction SA38 by the impacted programs. Access to transaction SA38 can be restricted as a workaround.

Note 3550816 deals with a high-risk SQL injection vulnerability in NetWeaver AS ABAP. Attackers can exploit vulnerable RFC functions to access Informix databases. The solution deactivates the vulnerable functions. A workaround can be implemented to mitigate the vulnerability by restricting access to the execution of remote-enabled function modules in function group SDBI. This can be performed using authorization object S_RFC.  

Note 3474398 patches multiple vulnerabilities in SAP BusinessObjects Business Intelligence (BOBJ) Platform. This includes information disclosure that can lead to session hijacking, and code injection that can enable attackers to inject and execute malicious JavaScript code.

Note 3542533 resolves a DLL hijacking vulnerability in SAPSetup that could enable attackers to escalate privileges in Windows servers and compromise active directories. SAPSetup supports the installation, updating, and maintenance of SAP software in Microsoft Windows. The solution in the note fixes permissions for relevant temporary directories.

Hot news note 3536965 addresses multiple high risk vulnerabilities in Adobe Document Services (ADS) of SAP NetWeaver Application Server for JAVA (AS Java). This includes vulnerabilities for Server-Side Request Forgery (SSRF) and information disclosure. ADS should be updated to the recommended patch levels detailed in the note. There are no workarounds provided by SAP.

Note 3542543 deals with a SSRF vulnerability in the NetWeaver Administrator of AS Java. The vulnerability is caused by insufficient authentication checks for a specific servlet. The note includes details for disabling the servlet as a workaround.

Note 3520281 was re-released with updated information for a cross-site scripting vulnerability in SAP Web Dispatcher. The note includes several workarounds if Web Dispatchers and Kernels cannot be upgraded to the recommended patch levels within a reasonable timeframe.

Note 3469791 patches an information disclosure vulnerability that could lead to the compromise of credentials for RFC destinations in SAP NetWeaver Application Server ABAP (AS ABAP). The vulnerability can be mitigated by setting profile parameter rfc/dynamic_dest_api_only to the value 1. This will deactivate the legacy dynamic destination.

Finally, note 3504390 addresses a NULL Pointer Dereference (NPD) vulnerability in AS ABAP that can be exploited by attackers to trigger a denial of service.

Note 3520281 patches a high priority Cross-Site Scripting (XSS) vulnerability in the SAP Web Dispatcher. The vulnerability can be exploited by attackers to execute arbitrary code and fully compromise Web Dispatcher installations. The vulnerability impacts users accessing the administration UI with a browser. The administration UI can be disabled as a workaround. This can be performed by deleting the content of directory /usr/sap/data/icmandir/admin/. The administration UI can also be deleted by removing icm/HTTP/admin_x parameters from the DEFAULT and instance profile and setting profile parameter icm/HTTP/admin_0 to an empty value. Another option is to remove administrative roles for all users. The admin role can be removed from users and replaced with the monitor role. The SAP Kernel and Web Dispatcher should be upgraded to required patch level for each version detailed in the note to fix the vulnerability. The correction will implement encoding to prevent a successful XSS attack.

Note 3483344 was updated with revised correction instructions to patch a high risk missing authorization check that could be exploited to escalate privileges in SAP PDCE. The note deactivates the vulnerable functions.

Note 3509619 patches a privilege escalation vulnerability in some versions of the SAP Host Agent installed in Unix platforms that enable attackers belonging to the sapsys group to replace local files usually protected by privileged access.

Note 3335394 resolves a missing authorization check in SAP NetWeaver AS Java that could lead to unauthorized access and changes to the System Landscape Directory (SLD).

Notes 3522953 and 3393899 deal with information disclosure vulnerabilities in the Software Update Manager and Logon Application of NetWeaver AS Java.

Hot news note 3479478 was updated for a critical missing authentication check in SAP BusinessObjects (BOBJ) Business Intelligence Platform. The vulnerability can be exploited to compromise logon tickets used for Single Sign-On. The update provides a fix for BOBJ 4.2 SP009. The notes includes details of a workaround that will disable trusted authentication in the Business Intelligence Platform Restful Web Services (BIPRWS) Web Application.

Note 3478615 patches a high-risk unrestricted file upload and malicious file execution vulnerability in BOBJ. In addition to applying the relevant support package patch detailed in the note, customers must create and maintain an access control list. The ACL should contain the list of folders that can contain personal data providers.

Note 3523541 addresses multiple vulnerabilities in Spring Framework and Log4j open-source libraries included in SAP Enterprise Project Connection. The patch included in the note updates the Spring framework and reload4j libraries to address the vulnerabilities.

Notes 3454858 and 3477359 deal with information disclosure vulnerabilities SAP NetWeaver Application Server (AS) ABAP and AS Java, respectively. The vulnerabilities could be exploited to access restricted file system information and usernames and passwords for new RFC destinations.

Note 3459935 was updated in September with revised solution details to patch a high priority information disclosure vulnerability in SAP Commerce Cloud. Some OCC API endpoints in SAP Commerce Cloud allow Personally Identifiable Information (PII) data, such as passwords, to be included in the request URL as query or path parameters. The impacted endpoints are detailed in the note. The note includes patches for both the cloud and on-premise editions. A workaround is also included in the note if the corrections can not be implemented within a reasonable timeframe.

Note 3505503 addresses a Cross-Site Scripting (XSS) vulnerability in the logon application of SAP NetWeaver Application Server (AS) Java. Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. The solution included in the note encodes parameters to address the vulnerability.

Notes 3501359 and 3498221 patch Cross-Site Scripting vulnerabilities in SAP CRM and SAP Enterprise Portal.

Note 3488039 deals with multiple missing authorizations in SAP NetWeaver Application Server (AS) ABAP and ABAP Platform. The authorizations impact function modules in function group SMTR_NAVIGATION_MODULES_BX. As a workaround, you may withdraw permission S_RFC with field RFC_TYPE with prefixed value for SMTR_NAVIGATION_MODULES_BX or field RFC_NAME with value of the function modules of the function group SMTR_NAVIGATION_MODULES_BX.

Hot news note 3477196 deals with a critical Server-Side Request Forgery (SSRF) vulnerability in applications built with SAP Build Apps. SAP Build Apps are vulnerable to CVE-2024-29415 due to the use of an older version of an Nodejs library included in software components for AppGyver. AppGyver is an open-source development platform used by SAP Build Apps. Applications should be rebuilt with version 4.11.130 or later in SAP Build Apps to address the vulnerability.

Hot news note 3479478 for CVE-2024-41730 patches a missing authentication check in SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability can be exploited by threat actors to compromise logon tickets used for single sign-on with a REST endpoint. The fix included in the note secures the default configuration of single sign-on enterprise authentication.

Note 3485284 addresses a high priority XML injection vulnerability in the Export Web Service of BEx Web Java Runtime in SAP Business Intelligence version 7.50. The issue is specific to PDF export only using Java ALV and ADS.

Note 3459935 fixes an information disclosure vulnerability in SAP Commerce Cloud that could lead to the leakage of Personally Identifiable Information (PII) data in query or path parameters. This includes passwords, email addresses, mobile numbers, coupon codes, and voucher codes. The vulnerability impacts specific API endpoints detailed in the note. A workaround is included in the note. Vulnerable endpoints should be replaced with the new secure variants detailed in the solution section of the note.