SAP Security Notes, February 2023
Hot news note 3273480 was updated in February for a critical vulnerability that could enable attackers to compromise installations of NetWeaver Application Server Java (AS Java) via an open JNDI interface exposed through User Defined Search (UDS). The updates include corrections for side effects caused by the original fix for the vulnerability that implemented authorization checks for affected public methods. Note 3301366 corrects side effects for alerting and monitoring after implementing note 3273480. Note 3284781 provides instructions to correct side effects observed for specific services used by Process Integration (PI).
Note 3285757 recommends upgrading the SAP Host Agent to the latest version 7.22 PL59 in order to patch a high priority privilege escalation vulnerability. Attackers can exploit the vulnerability to execute operating system commands using administrative privileges through webservice requests.
Note 3256787 includes a fix for an unrestricted file upload vulnerability in SAP BusinessObjects Business Intelligence (BOBJ). The note also includes instructions for a workaround that involves applying a whitelist for file format types using the property upload.file.allowed.formats in the global.properties file.
Other important notes include 3263135 and 3271091 for information disclosure and privilege escalation vulnerabilities in BOBJ and SAP Business Planning and Consolidation (BPC), respectively.