SAP Security Notes, August 2020
Hot News note 2928635 patches a critical code execution vulnerability in SAP Knowledge Management (KM). KM supports the automatic execution of potentially malicious scripts in stored files without authentication. The note recommends disabling the option for Force Text Download to remove the vulnerability. Force Text Download is a parameter of the WebDAV Protocol. WebDAV includes HTTP extensions to support file management on remote web servers. Content management operations in KM are performed by methods that conform to the WebDAV protocol. Force Text Download is deactivated by default. This prevents the opening of files containing malicious scripts. The Malicious Script Filter can be used to encode executable scripts in files uploaded to KM repositories and therefore block the execution of the scripts. Encoded scripts can be decoded using the Malicious Script Handler. Note 2938162 removes a broken authentication vulnerability in KM that enables unauthenticated users to upload files to content repositories.
Note 2941667 introduces authorization checks for report RSBDCREC when executed directly without transaction SHDB. This could be exploited to inject malicious code in recordings or extensions. The note extends checks for authorization object S_BDC_MONI to the report and adds checks for authorization object S_DEVELOP for a central API.
Note 2941315 patches a missing authentication check in a web service that could be exploited to provoke a denial of service in SAP NetWeaver AS JAVA. Note 2927956 mitigates a missing authentication check for the Unix Xvfb daemon required by SAP BusinessObjects Business Intelligence. The vulnerability could enable attackers to capture keystrokes and screen captures using the X server in SAP hosts.