SAP Security Notes, March 2020
Hot News note 2845377 patches a missing authentication check in the Diagnostics Agent. The Agent is a component of the Solution Manager landscape. It commonly connects to the Java server in Solution Manager through the J2EE Message Server HTTP port. This is recommended by SAP. However, it can also connect to Solution Manager using a direct P4 connection. P4 is a proprietary SAP protocol based on Remote Method Invocation (RMI) and Common Object Request Broker Architecture (CORBA). Direct P4 connections between Solution Manager and Diagnostics Agents are not recommended by SAP for most scenarios.
The patch delivered in note 2845377 closes the P4 port and therefore prevents the ability to connect to the service. Leaving the port open could enable attackers to connect to the Agent and execute commands using the permissions of the <SID>adm user. It could also enable attackers to shut down the agent. This could interrupt monitoring in Solution Manager. However, the impact on security monitoring would be minimal since the Diagnostics Agent supports monitoring for AS Java and SAProuter log files only. Availability monitoring is performed using the SAP Host Agent. The Diagnostics Agent is used primarily for performance monitoring.
Hot News note 2890213 patches a missing authentication check in User-Experience Monitoring (UXMon). UXMon executes and analyzes the results of client-side scripts to monitor availability and performance metrics in endpoints. The note enables user authentication for the EemAdmin administration service.
Note 2806198 provides corrections for a critical directory traversal vulnerability in the SAP NetWeaver Universal Description Discovery and Integration (UDDI) Server. The UDDI Server is a Services Registry containing definitions for enterprise services and metadata references. It also provides information related to web service consumers and providers including physical systems.