SAP Security Notes, March 2021
Hot news note 3022622 patches a critical code injection vulnerability in SAP Manufacturing Integration and Intelligence (MII). SAP MII allows users to create dashboards and save them as JSP through the SSCE (Self Service Composition Environment). Attackers can target this feature to inject malicious JSP code that include OS commands. The code and commands are executed by MII when dashboards are opened by users. The solution applied via note 3022622 blocks the saving of files as JSP through SSCE. There is no workaround for the vulnerability.
Hot news note 3022422 removes a missing authorization check in the MigrationService of the SAP NetWeaver Application Server Java (AS Java). This could provide unauthorized access to configuration objects including objects that grant administrative privileges. The solution requires a system restart. The workaround in note 3030298 can be applied if a system restart is not possible.
Note 3017378 addresses a high priority authentication bypass vulnerability in SAP HANA installations using external authentication via LDAP directory services. SAP HANA systems and users configured for LDAP are only vulnerable if the connected LDAP directory server is enabled for unauthenticated binds. Some directory servers can be configured to offer an unauthenticated bind via LDAP. In these cases, the SAP HANA database’s handling of LDAP authentication can be misused. An attacker can gain access to an SAP HANA database system without proper authentication through users enabled for LDAP-based authentication.