SAP Security Notes, January 2023
Hot news note 3089413 patches a critical capture-replay vulnerability that can lead to authentication bypass in SAP NetWeaver Application Server ABAP (AS ABAP). The vulnerability is caused by the failure to use unique hashes for system identification. Note 3089413 includes corrections for the SAP kernel and the SAP Basis component. The corrections must be applied in both trusting and trusted systems.
Hot news note 3268093 deals with a broken authentication vulnerability in SAP NetWeaver Application Server Java (AS Java). An unauthenticated attacker can attach to an open interface and exploit an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data. This could allow the attacker to gain full read access to user data, modify data and disrupt the availability of services within the system. The correction removes public access to basicadmin and adminadapter services and introduces authentication and authorization for the relevant objects. The required permissions are automatically assigned to the Administrator, NWA_SUPERADMIN, and NWA_READONLY roles by the corrections.
Note 3243924 patches a high-risk insecure deserialization of untrusted data vulnerability in SAP BusinessObjects Business Intelligence (BOBJ). Authenticated attackers with minimal privileges can intercept and modify serialized objects in the Central Management Console and BI LaunchPad of BOBJ. Note 3243924 restricts deserialization to specific internal classes. The note also includes instructions for a workaround that involves removing the vulnerable code in specific files.
Other important notes include 3262810 and 3275391 for code injection and SQL injection vulnerabilities in the Analysis Edition for OLAP in BOBJ and SAP Business Planning and Consolidation, respectively.