SAP Security Notes, July 2021
Hot News Note 3007182 contains updated corrections for a broken authentication vulnerability in the SAP NetWeaver AS ABAP and ABAP Platform. The corrections improve the ability to distinguish between internal and external RFC and HTTP connections. This protects against external threat actors using credentials for internal communications. Note 3007182 includes kernel patches for multiple kernel and Basis versions.
Note 3059446 patches a high priority missing authorization check in NetWeaver AS Java. The Administration Workset in Guided Procedures does not perform necessary authorization checks for an authenticated user, resulting in an escalation of privileges. The affected functions have now been changed and enforced to properly check access restrictions. A possible workaround is to disable the GP Administration Workset using filters in the configuration template. In NWA->Java System Properties, choose the configuration template and in the Filters tab add the filter to disable the caf~eu~gp~ui~admin application.
Note 3056652 includes patches for the J2EE Server Core in NetWeaver AS Java to apply input validation for HTTP requests before storing monitoring data. This will protect against malicious HTTP requests with manipulated headers that could lead to the exhaustion of system resources and provoke a denial of service.