SAP Security Notes, April 2020
Hot news note 2863731 provides updated correction instructions for a critical deserialization vulnerability in the enterprise Business Objects platform. The Crystal Reports .Net SDK WebForm Viewer in Business Objects could enable attackers with basic authorization to execute deserialization attacks. This could be exploited to perform malicious code execution.
Note 2904480 patches a significant input validation vulnerability in REST XML APIs within SAP Commerce. This could impact the availability and confidentiality of web stores based on the eCommerce platform.
Note 2896682 delivers corrections for a high risk directory traversal vulnerability in Knowledge Management that could enable attackers to overwrite, delete, or corrupt files on SAP servers.
Note 2902645 removes a privilege escalation vulnerability impacting the SAP Host Agent. SAP recommends updating the Agent to at least version 7.21 PL46 to prevent attackers from gaining root privileges over the underlying operating system using the Agent’s Operation Framework. Note 1031096 provides instructions for upgrading the Host Agent.
Finally, notes 2495144 and 2495462 provide switchable authorization checks for specific, sensitive function modules in SAP Central Finance and SAP Leasing. Switchable checks supplement checks for authorization object S_RFC. They should be activated using transaction SACF after the notes are applied.