SAP Security Notes, March 2018
Note 2331141 addresses a high-risk SQL injection vulnerability in the FI Localization tables of S/4HANA. The corrections included in the support packages listed in the note will enable screening of user input for dangerous SQL statements. The formula expressions delivered in Note 2261750 are a prerequisite for user input validation checks delivered via the note.
Note 2604541 includes corrections in support packages for a dangerous denial of service and DDOS vulnerability in the Java OData Gateway. The vulnerability impacts vulnerable open-source Apache servlets that manage incoming OData requests. Refer to CVE-2017-12624 and CVE-2017-3156 for further details.
Notes 2596535 and 2587369 deal with information disclosure vulnerabilities in SAP Business Process Automation (BPA) by Redwood and SAP HANA 1.0 and 2.0. Both notes carry a CVSS score of 7.5 or higher and could be exploited to leak sensitive system and user-related data. In the case of SAP HANA, user credentials may be stored in clear text in indexserver trace files. Attackers may be able to access systems using compromised credentials garnered from the files. This requires TRACE_ADMIN or CATALOG READ privileges. Access to these and other critical privileges in HANA systems should be monitored using SAP Solution Manager.
Note 2595262 includes corrections for a cross-site scripting vulnerability in the SAP CRM WebClient UI. The note has multiple prerequisite notes including collective note 2577883.
Finally, Note 2538829 includes updated libraries for open-source components in the SAP Internet Graphics Server (IGS) that are vulnerable to remote code execution attacks that could lead to memory corruption and provoke a denial of service.