SAP Security Notes, January 2021
Hot News note 2983367 corrects a code injection vulnerability in Master Data Management in SAP Business Warehouse and SAP BW4HANA. The vulnerability could be exploited to execute privileged OS commands. The correction introduces a hard coded report name which can only be executed by a legitimate user in release 7.30. The note removes the impacted function in BW/4HANA.
Hot news note 2999854 patches a similar code injection vulnerability in SAP Business Warehouse and SAP BW4HANA. The note improves input validation to prevent the injection and execution of malicious code through the impacted function module.
Note 3000306 removes a high-risk Denial of service (DOS) vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) and ABAP Platform. The note blocks the parallel execution of demo examples from the web version of ABAP Keyword Documentation to prevent resource exhaustion.
Finally, note 2993132 is updated for a missing authorization check impacting a RFC-enabled function module in SAP NetWeaver AS ABAP and SAP S4 HANA.