SAP Security Notes, November 2017
Note 2357141 includes updated instructions for removing a critical OS command injection vulnerability in Report for Terminology Export. This is a component of the Basis area Terminology and Glossary (transaction STERM) used to maintain standard terminology for management reporting, financial controlling, product development, and other areas. Report for Terminology Export does not sufficiently validate user input that is used to perform operating commands through the command variable in system calls. The vulnerability could be exploited to perform arbitrary OS commands using the privileges of the underlying service. This could compromise the SAP file system.
SAP updated the priority of Notes 2531241 and 2520772 from High to Hot News based on revised CVSS scores. The Notes were originally released in September and provide corrections for patching SAP Landscape Management (LVM) to prevent the storage of sensitive information including administrative passwords in plaintext within logs that can be read in database tables. The patches released with the Notes prevent LVM from persisting passwords in plaintext but do not remove sensitive information already stored in the logs. Therefore, the solution sections includes instructions for changing passwords and discovering and removing sensitive log entries.
Note 2500044 introduces improved key management procedures through the profile variable jstartup/secure_key in order to prevent attackers from accessing private keys used for instance communication in the J2EE.
Note 2026174 deals with a high risk code injection vulnerability in a component of the Apache Struts framework used by SAP BusinessObjects Enterprise.
Finally, Note 2542426 provides recommendations for removing a privilege escalation vulnerability in the Image Imports component of SAP Assortment Planning.