SAP Security Notes, August 2021
Hot news note 3072955 patches a Server Side Request Forgery (SSRF) vulnerability in the Component Build Service of SAP NetWeaver Development Infrastructure (NWDI). The Component Build Service includes a vulnerable servlet that could be targeted to perform proxy attacks. The vulnerability has a CVSS score of 9.9/10 for NWDI installations exposed to the internet. The patches included in the note remove the vulnerable servlet from productive code.
Hot news note 3078312 deals with a blind SQL injection vulnerability in DMIS Mobile Plug-In and SAP S/4HANA. The notes adds an ASSERT statement after the authorization check for function module IUUC_RECON_RC_COUNT_TABLE_BIG that enforces import parameter IT_WHERE_CLAUSE to be empty. If import parameter IT_WHERE_CLAUSE is not empty, the execution of the function module will fail with a short dump. The deactivation of parameter IT_WHERE_CLAUSE is not expected to impact products released to customers, because the remote-enabled function module IUUC_RECON_RC_COUNT_TABLE_BIG is only used by SAP.
Note 3071984 includes an updated workaround for a critical unrestricted file upload vulnerability in SAP Business One. The vulnerability could be exploited to upload any malicious files including scripts without file format validation.
Note 3057378 patches a high risk missing authentication in SAP Web Dispatcher when using X.509 client certificates. The vulnerability also impacts SAP HANA and SAP HANA XS installations containing embedded Web Dispatchers.