SAP Security Notes, April 2023
Hot news note 3305369 patches missing authentication check and code injection vulnerabilities in the SAP Diagnostics Agent. The note removes the EventLogServiceCollector and OSCommand Bridge components from the Agent to address the vulnerability. The patch does not effect metric data collection for data collectors that use the Agent. However, it will disable metric testing.
Hot news note 3294595 addresses a critical directory traversal vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) that could be exploited to overwrite system files and trigger a denial of service, interrupting the availability of systems. Note 1512430 provides an alternative approach for removing the vulnerability. The note blocks report RSPOXDEV and RSPOXOMS from overwriting files in AS ABAP. The corrections require assigning a physical path to the logical path RSPO_FILE_LOCATION delivered with the note using transaction FILE.
Note 3298961 fixes an information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (BOBJ). Exploitation of the vulnerability could enable threat actors to discover the password of the BI user by accessing and decrypting the lcmbiar file. Password protection for the file can be applied as a workaround if the patch in the note cannot be applied.
Finally, note 3305907 addresses a high-priority directory traversal vulnerability that could enable attackers to upload and overwrite files in the BI Content Add-on for AS ABAP through a vulnerable report that does not apply sufficient authentication checks and file validation. The correction included in the note removes the ability to upload files through the vulnerable report.