SAP Security Notes, April 2019
Note 2747683 patches a vulnerability in the signature security mechanism of the Adapter Engine in SAP NetWeaver Process Integration (PI). The vulnerability could enable attackers to spoof XML signatures and send arbitrary requests to the server via PI Axis adapter. Such requests will be accepted by the PI Axis adapter even if the payload has been altered, especially when the signed element is the body of the xml document. SAP has corrected the relevant code in PI Axis Adapter. The corrections apply additional checks for signed elements for correctness before signature validation. Customers should apply the relevant support packages and patches referenced by SAP Note 2747683.
Note 2776558 provides corrections for a high-risk insufficient authorization check in SAP Funding Management. The vulnerability could be exploited to escalate privileges and carries a CVSS score of 8.3/10.
Notes 2742758 and 2741201 deal with information disclosure vulnerabilities in in the messaging system and runtime workbench of SAP PI. This could lead to the leakage of sensitive system information that could be exploited to perform further attacks against the platform.
Note 2687663 patches a similar vulnerability in the .NET SDK WebForm Viewer of SAP Crystal Reports. Sensitive database information that could be disclosed by exploiting the vulnerability include user credentials.