SAP Security Notes, December 2023
Hot news notes 3350297 and 3399691 patch a critical OS command injection vulnerability in SAP S/4HANA and ECC. The notes are only applicable for installations with active IS-OIL software components. You can use transaction SFW_BROWSER to check the status of the OIB_QCI and OI0_COMMON_2 switches in BUSINESS_FUNCTION_BASIS_COM and COMMODITY_MGMT_&_BULK_LOGISTIC. IS-OIL is active if both switches are on. The notes are not relevant if only the OI0_COMMON_2 switch is on. The corrections in the notes will remove the Test Selected Routines option in report ROIB_QCI_CALL_TEST and block direct execution of Function Module OIB_QCI_SERVER.
Note 3411067 corrects multiple high-risk vulnerabilities in security integration libraries and programming infrastructure in the SAP Business Technology Platform (BTP) that could be exploited to escalate privileges. The note applies to all customers with applications developed on SAP BTP. The libraries are used to perform authentication and authorization checks calling SAP BTP Cloud Foundry Authorization and Trust Management Service (XSUAA) and SAP Cloud Identity Services – Identity Authentication (IAS). Customers should update the relevant integration libraries and programming infrastructure specified in the note to the recommended versions.
Note 3385711 provides a server-side fix in SAP NetWeaver AS ABAP for an information disclosure vulnerability that can be exploited in the SAP GUI clients for Windows and Java. The solution enables an authentication check to address the vulnerability.
Notes 3394567 and 3382353 deal with access control and cross-site scripting vulnerabilities in SAP Commerce Cloud and SAP BusinessObjects Business Intelligence, respectively.