SAP Security Notes, February 2019
Hot News Note 2742027 patches a critical broken authentication check in SAP HANA Extended Application Services, advanced model. The vulnerability could lead to unauthorized administrative access and the exfiltration, modification or deletion of sensitive data in HANA XS. The vulnerability carries a CVSS score of 9.4/10. It ranks relatively low in terms of attack complexity and requires no privileges in target systems. HANA XS Advanced should be upgraded to the patch level specified in the Note to address the risk. The Note includes manual instructions for a workaround if an upgrade is not possible. The workaround removes the affected OIDC component. A side-effect of the workaround is the deactivation of X.509-based or SPNEGO single sign-on for HANA users.
Note 2070691 deals with a high priority information disclosure vulnerability in the SAP Solution Tools Plug-In (ST-PI) that could lead to the leakage of sensitive data including configuration data and user passwords. The information can be used to perform targeted attack against database servers for SAP systems.
Note 2729710 includes a correction for a missing XML Validation vulnerability in the System Landscape Directory (SLD).
The correction avoids processing of all XML files that use XML External Entity (XXE). This could cause the SLD to continuously loop, read arbitrary files and send local files.