SAP Security Notes, July 2022
There were several high priority security notes released in July for multiple vulnerabilities in SAP Business One. Note 3212997 patches an information disclosure issue that arises during the integration between Business One and SAP HANA. The vulnerability can be exploited to access privileged account credentials through the HANA cockpit’s data volume. Customers can switch from XPath passwords to explicit passwords in the FTP Adapter as temporary workaround.
Note 3157613 deals with a missing authentication check in the License Service API of Business One that could enable attackers to provoke a denial of service.
Note 3191012 resolves a code injection vulnerability in Business One that enables threat actors to upload and execute malicious executable files, such as exe, bat, and other script or binary file types. The note blocks the upload of file types included in the Microsoft block list.
Notes 3221288 and 3213141 patch vulnerabilities that can lead to the leakage of token information and access credentials for SAP BusinessObjects Business Intelligence and SAP Landscape Management, respectively.