SAP Security Notes, October 2018
Hot News note 2654905 patches a high risk information disclosure vulnerability in the SAP BusinessObjects BI Suite. The execution of specific CMS queries on the Central Management Server could bypass authorization checks and lead to the leakage of sensitive data. The vulnerability scores 9.8/ 10 based on the Common Vulnerability Scoring System v3 (CVSS). Patches for BI 4.1 SP 10-12 and 4.2 SP 4-6 referenced in the Note enable authorization checks for vulnerable CMS queries.
Note 2699726 provides corrections to remove a missing network isolation error in SAP’s Open Source project Gardener. Gardener is an API server that provides Kubernetes clusters for several SAP products. SAP is responsible for security updates for Gardener instances and Gardener managed Kubernetes clusters at SAP. Note 2699726 applies only to Gardener stakeholders in the Open Source Community who operate their own Gardener installations. The Note recommends upgrading to Gardener release 0.12.4 or higher in order to prevent admins in shoot clusters from compromising seed clusters or other shoot clusters.
Note 2696962 provides instructions for dealing with a Denial of Service (DoS) vulnerability in the SQLite database engine of SAPFoundation. SQLite is embedded in the SAP Cloud Platform SDK for iOS 2.0 SP02 and 3.0.
Note 2674215 provides corrections for patching a stack overflow vulnerability that could be exploited by attackers to provoke a denial of service in SAP Plant Connectivity.