Category: Advisories

Hot news notes 3350297 and 3399691 patch a critical OS command injection vulnerability in SAP S/4HANA and ECC. The notes are only applicable for installations with active IS-OIL software components. You can use transaction SFW_BROWSER to check the status of the OIB_QCI and OI0_COMMON_2 switches in BUSINESS_FUNCTION_BASIS_COM and COMMODITY_MGMT_&_BULK_LOGISTIC. IS-OIL is active if both switches are on. The notes are not relevant if only the OI0_COMMON_2 switch is on. The corrections in the notes will remove the Test Selected Routines option in report ROIB_QCI_CALL_TEST and block direct execution of Function Module OIB_QCI_SERVER.

Note 3411067 corrects multiple high-risk vulnerabilities in security integration libraries and programming infrastructure in the SAP Business Technology Platform (BTP) that could be exploited to escalate privileges. The note applies to all customers with applications developed on SAP BTP. The libraries are used to perform authentication and authorization checks calling SAP BTP Cloud Foundry Authorization and Trust Management Service (XSUAA) and SAP Cloud Identity Services – Identity Authentication (IAS). Customers should update the relevant integration libraries and programming infrastructure specified in the note to the recommended versions.

Note 3385711 provides a server-side fix in SAP NetWeaver AS ABAP for an information disclosure vulnerability that can be exploited in the SAP GUI clients for Windows and Java. The solution enables an authentication check to address the vulnerability.

Notes 3394567 and 3382353 deal with access control and cross-site scripting vulnerabilities in SAP Commerce Cloud and SAP BusinessObjects Business Intelligence, respectively.

Hot News note 3355658 patches a critical missing authentication check vulnerability in SAP Business One. The vulnerability has a CVSS Base Score of 9.6/10 with a high impact to confidentiality, integrity and availability. SAP Business One allows read and write-access to SMB shared folders to anonymous users. The impacted components are the Crystal Reports (CR) shared folder, Traditional Mobile app (attachment path), RSP (log folder logic), Job Service and BAS (file upload folder). The correction in the note modifies SMB shared folder permissions to only grant read and write access to authenticated and authorized users.

Note 2494184 was updated for a Cross-Site Request Forgery (CSRF) vulnerability impacting multiple SAP Sybase solutions including ASE, Event Stream Processor IQ, Replication Server, and SQL Anywhere.

Note 3362849 addresses an information disclosure vulnerability impacting the Internet Communication Manager (ICM) in SAP NetWeaver Application Server ABAP. The required kernel patches to correct the vulnerability are specified in the note.

Note 3366410 patches an information disclosure vulnerability in SAP NetWeaver Application Server Java that allows attackers to brute force the Java Logon application to discover legitimate user IDs. The vulnerability impacts version 7.50 of the J2EE Engine Server Core.

Hot news note 3340576 patches a critical missing authorization check in the SAP Common Cryptographic Library (CommonCryptoLib) that could enable attackers to escalate privileges. CommonCryptoLib is installed in multiple SAP products including SAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premise, as well as SAP HANA Database, SAP Web Dispatcher, and SAP Host Agent. The installation of CommonCryptoLib 8.5.50 or higher in impacted products is recommended to address the vulnerability. This can be performed by upgrading the relevant software components to the recommended versions detailed in the note.

Note 3333426 was updated for a Server-Side Request Forgery (SSRF) in the GRMG Heartbeat application of SAP NetWeaver AS Java. The vulnerability could lead to information disclosure that could be used to perform further attacks against AS Java. The update impacts support packs 25 and 26 for the software component LM-CORE.

Notes 3324732 and 3371873 address a log injection vulnerability in the Log Viewer of AS Java. The support package patches specified in the note implement encoding and validation for user input to address the vulnerability in the impacted components.

Notes 3372991 and 3357154 patch Cross-Site Scripting (XSS) and missing XML validation vulnerabilities in SAP BusinessObjects and SAP PowerDesigner Client, respectively.

Hot news notes 3245526 and 3320355 patch critical code injection and information disclosure vulnerabilities in SAP BusinessObjects Intelligence Platform (BOBJ). Note 3245526 was re-released in September with updated support package and patch level details. The note patches a command injection vulnerability that can be exploited to escalate privileges in the platform. The vulnerability impacts the Enterprise component in BOBJ versions 4.2 and 4.3.

Note 3320355 removes sensitive information in responses from Promotion Management in BOBJ to clients in order to prevent information disclosure that could lead to the complete compromise of the application. Attackers require access to the promotion job folder for exploitation of the vulnerability. A temporary workaround can be applied by removing rights to the folder from users that do not require access.

Note 3370490 addresses a high-priority cross-site scripting vulnerability in the BOBJ Web Intelligence HTML interface. Due to insufficient file type validation, the Web Intelligence HTML interface allows a report creator to upload files from the local system into a report over the network. When uploading an image file, an authenticated attacker could intercept the request, modify the content type and the extension to read and modify sensitive data. The solution included in note 3370490 patches the vulnerability by blocking unauthorized file types.

Note 3327896 removes a high-risk buffer overflow vulnerability in the SAP Common Crypto Library that could be exploited to trigger a denial of service. A manipulated data package with a corrupted SNC NAME ASN.1 structure can lead to a parser error and crash the application. Customers should upgrade to CommonCryptoLib to 8.5.49 or higher.

Hot news note 3341460 patches multiple critical vulnerabilities in the data modelling and management solution SAP PowerDesigner. This includes an access control vulnerability for CVE-2023-37483 that has a CVSS score of 9.8/10. The vulnerability can be exploited by attackers to execute arbitrary queries against back-end databases via proxies. It also includes an information disclosure vulnerability that can enable threat actors to access password hashes in client memory. SAP PowerDesigner Client and Proxy should be upgraded to version 16.7 SP06 PL04 or 16.7 SP07 to patch the vulnerabilities. The patches include fixes for proxy side authentication and authorization, and logging of attempted access control violations.

SAP PowerDesigner is also impacted by a code injection vulnerability addressed by note 3341599. SAP SQL Anywhere bundled with some versions of PowerDesigner allows an attacker with local access to take control of the application by loading malicious libraries that can be executed by PowerDesigner. The note recommends upgrading to SP07 PL01 that includes a patched version of SQL Anywhere that does not load custom unicode extension DLL by default.

Note 3344295 addresses a high-risk authentication bypass vulnerability in the SAP Message Server.  The vulnerability can be addressed by applying the kernel patches specified in the note. However, the related exploits can be mitigated by setting the profile parameter system/secure_communication to ON, protecting the internal port of the Message Server, and setting the trace level to a value lower than 2.

Notes 3317710 and 3312047 patch binary hijack and denial of service vulnerabilities in SAP BusinessObjects Business Intelligence (BOBJ).

Note 3346500 removes the ability for users to authenticate with an empty passphrase in SAP Commerce Cloud by changing the default value of the configuration property user.password.acceptEmpty from true to false.

Hot news note 3350297 for a critical OS command injection vulnerability in SAP ECC and S/4HANA was re-released with instructions for confirming the prerequisites for the note. The IS-OIL component must be enabled in order for the note to be applicable. The note includes instructions for checking whether the component and supporting switches are enabled in systems.

Notes 3340735 and 3233899 patch high-priority buffer overflow and HTTP request smuggling vulnerabilities in the SAP Web Dispatcher that could be exploited to leak information or trigger a denial of service.  The vulnerabilities affect only the HTTP/2 protocol. HTTP/1 is not affected. Standalone Web Dispatcher installations support HTTP/2 by default since version 7.73. Version 7.54 is only affected if parameter icm/HTTP/support_http2 is set to TRUE in the instance or DEFAULT profile. 7.45 is not affected because it does not support HTTP/2. Web Dispatcher installations that support HTTP/2 are only impacted if parameter icm/HTTP/support_http2 is explicitly set to TRUE.

Notes 3352058 and 3348145 deal with blind SSRF and header injection vulnerabilities impacting the Diagnostics Agent. The vulnerabilities can be addressed by upgrading the LM-SERVICE component in SAP Solution Manager. Note 2686969 includes instructions for upgrading the component to the required patch level.  

Notes 3324285 and 3326210 patch high priority vulnerabilities in SAP UI5. The former applies input validation to block the storage and reading of malicious scripts that could lead to cross-site scripting. The latter introduces additional restrictions to prevent the injection of untrusted CSS that can be exploited to perform clickjacking exploits. Note 3326210 includes a temporary workaround that involves removing the values of the “style” and “class” attributes in the html input of control sap.m.FormattedText and other controls.

Note 3102769 was updated for releases 7.31 and 7.40 of SAP Knowledge Warehouse (KW). The note resolves a high-priority cross-site scripting vulnerability in the Internet Knowledge Servlet (IKS) of KW. A workaround for the vulnerability is detailed in note 3221696. The IKS can be deactivated using the Config Tool. Alternatively, URL filters can be applied using the ICM or Web Dispatcher to block requests to the vulnerable component.

Notes 3319400, 2826092, 3331627 and 3318657 patch cross-site vulnerabilities in SAP BOBJ, CRM, Enterprise Portal, and the Design Time Repository of SAP NetWeaver, respectively.

Hot news note 3307833 patches a critical information disclosure vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) platform. The vulnerability can be exploited by authenticated threat actors with administrator privileges to compromise the login token of any logged-in BI user or server over the network. The login ticket can be used to access the platform with the credentials of the compromised user. The vulnerability impacts versions 4.2 and 4.3 of BOBJ.

Hot news note 3328495 addresses multiple vulnerabilities in SAP 3D Visual Enterprise License Manager. This includes code injection, broken authentication, and session hijacking. The vulnerabilities can be addressed by updating SAP 3D Visual Enterprise License Manager to version 15.0.1-sap2. A workaround is also included in the note as a temporary fix. The workaround will disable the vulnerable web interface for the solution.

Note 3326210 includes corrections to apply input validation for untrusted CSS in SAPUI5. Notes 3217303 and 3213507 patch high-risk information disclosure vulnerabilities in the CMC and Monitoring DB components of BOBJ, respectively.

Note 3301942 provides a fix to validate signatures of JSON Web Tokens in HTTP requests and remove a missing authentication vulnerability in SAP Digital Manufacturing.

Hot news note 3305369 patches missing authentication check and code injection vulnerabilities in the SAP Diagnostics Agent. The note removes the EventLogServiceCollector and OSCommand Bridge components from the Agent to address the vulnerability. The patch does not effect metric data collection for data collectors that use the Agent. However, it will disable metric testing.

Hot news note 3294595 addresses a critical directory traversal vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) that could be exploited to overwrite system files and trigger a denial of service, interrupting the availability of systems. Note 1512430 provides an alternative approach for removing the vulnerability. The note blocks report RSPOXDEV and RSPOXOMS from overwriting files in AS ABAP. The corrections require assigning a physical path to the logical path RSPO_FILE_LOCATION delivered with the note using transaction FILE.

Note 3298961 fixes an information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (BOBJ). Exploitation of the vulnerability could enable threat actors to discover the password of the BI user by accessing and decrypting the lcmbiar file. Password protection for the file can be applied as a workaround if the patch in the note cannot be applied.

Finally, note 3305907 addresses a high-priority directory traversal vulnerability that could enable attackers to upload and overwrite files in the BI Content Add-on for AS ABAP through a vulnerable report that does not apply sufficient authentication checks and file validation. The correction included in the note removes the ability to upload files through the vulnerable report.  

Hot news note 3273480 was updated in March for SP026 of NetWeaver Application Server Java (AS Java) 7.50. The note deals with a critical SQL injection vulnerability that can be exploited by unauthenticated attackers that attach to an open interface exposed through JNDI by User Defined Search (UDS) of AS Java. The fix included in the note applies authorization checks to mitigate the vulnerability. The authorizations are assigned to the roles SAP_XI_ADMINISTRATOR_J2EE, SAP_XI_CONFIGURATOR_J2EE, SAP_XI_DEVELOPER_J2EE and NWA_READONLY.

Note 3252433 patches a broken authentication vulnerability impacting the LockingService in AS Java. The note removes public access and applies the required authentication and authorization checks for the service.

Hot news notes 3245526 and 3283438 address high-risk vulnerabilities in SAP BusinessObjects Business Intelligence (BOBJ). Note 3245526 fixes a code injection vulnerability in the Central Management Console (CMC). The note removes the ‘Use Impersonation’ option from the CMC and introduces authorization checks for scheduling program objects. Note 3283438 fixes an OS command execution vulnerability in the Adaptive Job Server. Workarounds are detailed in the note including unchecking the options Run scripts/binaries and Run Java programs in the CMC, and disabling the rexecd service.

Notes 3294595 and 3302162 patch directory traversal vulnerabilities in NetWeaver Application Server ABAP (AS ABAP). The vulnerabilities can be exploited to overwrite system files and trigger a denial of service.