SAP Security Notes – August 2016
Note 2319506 addresses a blind SQL injection vulnerability in Database Monitors for Oracle. The vulnerability impacts all versions of SAP Basis and rates extremely high on the impact scale using the common vulnerability scoring system. Content-based and time-based blind SQL injection is used by attackers to determine when input is interpreted as a SQL statement. The results are used to fingerprint databases, build database schemas and escalate attacks.
The blind SQL injection vulnerability in the Database Monitors is caused by improper validation of user-supplied input in the function modules STUO_GET_ ORA_SYS_ TABLE and STUO_GET_ORA_SYS_TABLE_ 2. The modules are used to read Oracle system tables containing sensitive data including database instances and logical names for database connections. Corrections for the vulnerability are included in support packages for relevant SAP Basis versions detailed in Note 2311011.
Note 2313835 deals with a high risk denial of service vulnerability in the Internet Communication Manager (ICM). The ICM manages client-server communication using Web protocols such as HTTP, HTTP, and HTTPS. For NetWeaver Application Server Java, the ICM also manages communications based on the proprietary SAP P4 protocol. Note 2313835 provides kernel patches for DOS and DDOS attacks targeted at the P4 port of AS Java that could lead to service disruptions caused by resource exhaustion.
Note 2142551 delivers a framework for protecting AS ABAP against clickjacking attacks. This includes a client-dependent positive whitelist maintained in the HTTP_WHITELIST table. The key data to be maintained for each entry in the whitelist is entry_type and host. The recommended value setting for entry_type is 30 to enable clickjacking protection. Trusted hosts and domains should be defined in the host field.
Note 2012284 provides corrections to extend virus scanning to objects created by Knowledge Provider, a document and content management service within NetWeaver Application Servers.
