SAP Security Notes, July 2023
Hot news note 3350297 for a critical OS command injection vulnerability in SAP ECC and S/4HANA was re-released with instructions for confirming the prerequisites for the note. The IS-OIL component must be enabled in order for the note to be applicable. The note includes instructions for checking whether the component and supporting switches are enabled in systems.
Notes 3340735 and 3233899 patch high-priority buffer overflow and HTTP request smuggling vulnerabilities in the SAP Web Dispatcher that could be exploited to leak information or trigger a denial of service. The vulnerabilities affect only the HTTP/2 protocol. HTTP/1 is not affected. Standalone Web Dispatcher installations support HTTP/2 by default since version 7.73. Version 7.54 is only affected if parameter icm/HTTP/support_http2 is set to TRUE in the instance or DEFAULT profile. 7.45 is not affected because it does not support HTTP/2. Web Dispatcher installations that support HTTP/2 are only impacted if parameter icm/HTTP/support_http2 is explicitly set to TRUE.
Notes 3352058 and 3348145 deal with blind SSRF and header injection vulnerabilities impacting the Diagnostics Agent. The vulnerabilities can be addressed by upgrading the LM-SERVICE component in SAP Solution Manager. Note 2686969 includes instructions for upgrading the component to the required patch level.