Category: Advisories

Hot News note 3097887 patches a broken authorization check in SAP NetWeaver AS ABAP and ABAP Platform. The vulnerability could be exploited by attackers with developer or administrator rights to transfer malicious code to vulnerable systems. This can be performed via a LEAVE PROGRAM statement in a specific report within the software logistics system. Note 3097887 deletes the relevant report. There is no workaround. The vulnerability impacts all versions of SAP Basis from 700 to 756.

Hot News note 3101406 deals with an XML External Entity injection vulnerability in SAP Environmental Compliance. The vulnerability impacts the XMLBeans open source software bundled in Environmental Compliance to support data import functionality. The note updates some software components to secure versions and replaces other components with closed-source software. This highlights the risk of using open source software in commercial software.

Other important notes include 2900326 which removes a missing authorization check in Payment Engine and note 3077635 which deals with a Denial of Service vulnerability in mobile clients for SAP SuccessFactors.

Hot news note 3078609 patches a missing authorization check in the JMS Connector Service of SAP NetWeaver Application Server for Java. The vulnerability could be exploited to execute arbitrary code in the system remotely and without authentication. Hence, the note carries the maximum CVSS score of 10/10. A fix is included in the note but a temporary workaround is outlined in note 3093977.

Note 3081888 deals with a code Injection vulnerability for XMLForms in SAP NetWeaver Knowledge Management. The note includes a patch for the XMLToolkit parser to prevent the execution of malicious XSL stylesheet files containing scripts with OS-level commands.

Note 3073891 patches multiple OS command injection and reflected Cross-Site Scripting (XSS) vulnerabilities in SAP Contact Center. The vulnerabilities are caused by improper encoding of user input.  

Note 3089831 introduces input validation to protect the remote execution of vulnerable function modules that could be exploited to gain access to backend databases. The note includes instructions for blocking remote calls to the impacted function modules using Unified Connectivity (UCON) as a workaround.

Note 3084487 removes a vulnerable component of SAP NetWeaver Visual Composer that could be exploited by attackers to upload malicious files that run operating system commands with the privileges of the Java Server process. The commands could be used to read and modify data or provoke a denial of service.

Hot news note 3072955 patches a Server Side Request Forgery (SSRF) vulnerability in the Component Build Service of SAP NetWeaver Development Infrastructure (NWDI). The Component Build Service includes a vulnerable servlet that could be targeted to perform proxy attacks. The vulnerability has a CVSS score of 9.9/10 for NWDI installations exposed to the internet. The patches included in the note remove the vulnerable servlet from productive code.

Hot news note 3078312 deals with a blind SQL injection vulnerability in DMIS Mobile Plug-In and SAP S/4HANA. The notes adds an ASSERT statement after the authorization check for function module IUUC_RECON_RC_COUNT_TABLE_BIG that enforces import parameter IT_WHERE_CLAUSE to be empty. If import parameter IT_WHERE_CLAUSE is not empty, the execution of the function module will fail with a short dump. The deactivation of parameter IT_WHERE_CLAUSE is not expected to impact products released to customers, because the remote-enabled function module IUUC_RECON_RC_COUNT_TABLE_BIG is only used by SAP.

Note 3071984 includes an updated workaround for a critical unrestricted file upload vulnerability in SAP Business One. The vulnerability could be exploited to upload any malicious files including scripts without file format validation.

Note 3057378 patches a high risk missing authentication in SAP Web Dispatcher when using X.509 client certificates. The vulnerability also impacts SAP HANA and SAP HANA XS installations containing embedded Web Dispatchers.

Hot News Note 3007182 contains updated corrections for a broken authentication vulnerability in the SAP NetWeaver AS ABAP and ABAP Platform. The corrections improve the ability to distinguish between internal and external RFC and HTTP connections. This protects against external threat actors using credentials for internal communications.  Note 3007182 includes kernel patches for multiple kernel and Basis versions.

Note 3059446 patches a high priority missing authorization check in NetWeaver AS Java. The Administration Workset in Guided Procedures does not perform necessary authorization checks for an authenticated user, resulting in an escalation of privileges. The affected functions have now been changed and enforced to properly check access restrictions. A possible workaround is to disable the GP Administration Workset using filters in the configuration template. In NWA->Java System Properties, choose the configuration template and in the Filters tab add the filter to disable the caf~eu~gp~ui~admin application.

Note 3056652 includes patches for the J2EE Server Core in NetWeaver AS Java to apply input validation for HTTP requests before storing monitoring data. This will protect against malicious HTTP requests with manipulated headers that could lead to the exhaustion of system resources and provoke a denial of service.

Hot News note 3040210 patches a critical remote code execution vulnerability in Source Rules of SAP Commerce. The vulnerability affects both on-premise installations of SAP Commerce and SAP Commerce Cloud in the Public Cloud. SAP Commerce Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution. Note 3040210 addresses this vulnerability by adding validation and output encoding when processing Promotion Rules and other Source Rules. Customers that do not wish to install the patch can apply a workaround by adjusting the permissions that grant create and change privileges to the SourceRule type. The goal of the workaround is to ensure that only highly trusted employees have such privileges.

Notes 3021197, 3020209 and 302010 deal with multiple high-risk memory corruption vulnerabilities in SAP NetWeaver ABAP. The multiples could be exploited to perform a denial of service using specially crafted requests targeted at the Dispatcher process, SAP Gateway, and SAP Enqueue Server.

Note 3053066 removes a missing XML validation vulnerability in SAP NetWeaver AS Java that could enable attackers to read files in the file system or crash SAP services using specially crafted XML files. The note enables blocking of external entities via the XML parser.

Note 3046610 patches a high priority code injection vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP). Program RDDPUTJR may be executed by attackers to inject malicious code.  The note replaces the code of the report with an exit statement. The program can be deleted by the support packages included in the note.  Access to SA38 and SE38 can be restricted as a workaround.

Notes 3049755 and 3049661 deal with multiple vulnerabilities in SAP Business One. This includes code injection, OS command injection, and information disclosure.

Notes 3012021 and 2745860 patch XML injection, information disclosure and unrestricted file upload vulnerabilities the Integration Builder Framework of SAP Process Integration.

Hot news note 2999854 was updated in April for a critical code injection vulnerability in SAP Business Warehouse and SAP BW/4HANA. BW and BW/4HANA allow a low privileged attacker to inject malicious code using a remote enabled function module over the network. Due to a lack of input validation, users granted RFC access to execute the function module can inject malicious ABAP code. The code is saved persistently in a report in the ABAP repository. The report can then be executed to inject the code, leading to the loss of sensitive data, modification of critical data, or denial of service. Note 2999854 introduces input validation for the effected functions to prevent code injection.

Hot news note 3040210 patches a remote code injection vulnerability in Source Rules of SAP Commerce. SAP Commerce Backoffice allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application. SAP Commerce installations that do not include any extensions from the Rule Engine module are not affected. Note 3040210 addresses this vulnerability by adding validation and output encoding when processing Promotion Rules and other Source Rules.

Note 3022422 includes an updated FAQ for a critical missing authorization check in the MigrationService of SAP NetWeaver Application Server Java (AS Java). The vulnerability could be exploited by attackers to grant administrative privileges by accessing specific configuration objects. The solution included in the note requires a system restart. Note 3030298 includes a temporary workaround if a restart is not possible.

Note 3001824 patches an information disclosure vulnerability in AS Java. Attackers can invoke telnet commands to access NTLM hashes of privileged users. Possible workarounds for the vulnerability include disabling outgoing NTLM traffic by group policy, blocking outgoing SMB requests via appropriate firewall rules, and, for Linux systems, disabling the Samba protocol on all the hosts in a cluster.

Hot news note 3022622 patches a critical code injection vulnerability in SAP Manufacturing Integration and Intelligence (MII). SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment). Attackers can target this feature to inject malicious JSP code that include OS commands. The code and commands are executed by MII when dashboards are opened by users. The solution applied via note 3022622 blocks the saving of files as JSP through SSCE. There is no workaround for the vulnerability.

Hot news note 3022422 removes a missing authorization check in the MigrationService of the SAP NetWeaver Application Server Java (AS Java). This could provide unauthorized access to configuration objects including objects that grant administrative privileges. The solution requires a system restart. The workaround in note 3030298 can be applied if a system restart is not possible.

Note 3017378 addresses a high priority authentication bypass vulnerability in SAP HANA installations using external authentication via LDAP directory services. SAP HANA systems and users configured for LDAP are only vulnerable if the connected LDAP directory server is enabled for unauthenticated binds. Some directory servers can be configured to offer an unauthenticated bind via LDAP. In these cases, the SAP HANA database’s handling of LDAP authentication can be misused. An attacker can gain access to an SAP HANA database system without proper authentication through users enabled for LDAP-based authentication.

Hot News note 3014121 patches a critical remote code execution vulnerability in SAP Commerce. The Backoffice application in SAP Commerce enables certain users with required privileges to edit drools rules. An authenticated attacker with this privilege is able to inject malicious code in the drools rules, enabling the attacker to compromise the SAP host. This vulnerability affects the DroolsRule item type of the ruleengine extension. The DroolsRule item type exposes scripting facilities via its ruleContent attribute. Changing of ruleContent should normally be limited to highly privileged users, such as members of admingroup. Due to a misconfiguration of the default user permissions that are shipped with SAP Commerce, several lower-privileged users and user groups can gain permissions to change DroolsRule ruleContents and access scripting facilities.

SAP Commerce installations that do not have the ruleengine extension installed are not affected. However, the extension is a common component of SAP Commerce installations. Note 3014121 improves the default permissions that govern change access to scripting facilities of DroolsRules. Script editing facilities for DroolsRules can be disabled in the SAP Commerce Backoffice as a second line of defense.

Note 2986980 was updated for SAP Business Warehouse releases 7.0x. The note patches SQL injection and missing authorization checks in the Database Interface of SAP BW.

Notes 2743329 and 2475705 introduce switchable authorization checks for sensitive RFC-enabled modules in S/4HANA and SAP ECC.

Hot News note 2983367 corrects a code injection vulnerability in Master Data Management in SAP Business Warehouse and SAP BW4HANA. The vulnerability could be exploited to execute privileged OS commands. The correction introduces a hard coded report name which can only be executed by a legitimate user in release 7.30. The note removes the impacted function in BW/4HANA.

Hot news note 2999854 patches a similar code injection vulnerability in SAP Business Warehouse and SAP BW4HANA. The note improves input validation to prevent the injection and execution of malicious code through the impacted function module.

Note 3000306 removes a high-risk Denial of service (DOS) vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) and ABAP Platform. The note blocks the parallel execution of demo examples from the web version of ABAP Keyword Documentation to prevent resource exhaustion.

Finally, note 2993132 is updated for a missing authorization check impacting a RFC-enabled function module in SAP NetWeaver AS ABAP and SAP S4 HANA.