SAP Security Notes, August 2019
Hot News Note 2800779 patches a remote code execution vulnerability in the SAP NetWeaver UDDI Server. The vulnerability carries a CVSS score of 9.9/10 and could be exploited to take complete control of the Services Registry, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. The NetWeaver UDDI Server is an XML-based registry for Web Services.
Note 2786035 patches another critical remote code execution vulnerability in SAP Commerce Cloud (previously SAP Hybris Commerce). The Mediaconversion and Virtualjdbc extensions in SAP Commerce Cloud could execute malicious code injected by attackers or authenticated users. Note that some of the Mediaconversion Conversion Command parameters may not work after the implementation of the recommended patch until they are added to a whitelist.
Note 2813811 deals with a dangerous Server-Side Request Forgery (SSRF) vulnerability in the Administrator System Overview of SAP NetWeaver Application Server for Java (AS Java). The vulnerability could enable attackers to scan internal networks, perform Remote File Inclusion attacks, retrieve server files including password files, bypass firewalls, and force vulnerable servers to execute malicious requests. Refer to SAP KBA 2577844 to resolve known side-effects of the corrections in Note 2813811.