SAP Security Notes, March 2023
Hot news note 3273480 was updated in March for SP026 of NetWeaver Application Server Java (AS Java) 7.50. The note deals with a critical SQL injection vulnerability that can be exploited by unauthenticated attackers that attach to an open interface exposed through JNDI by User Defined Search (UDS) of AS Java. The fix included in the note applies authorization checks to mitigate the vulnerability. The authorizations are assigned to the roles SAP_XI_ADMINISTRATOR_J2EE, SAP_XI_CONFIGURATOR_J2EE, SAP_XI_DEVELOPER_J2EE and NWA_READONLY.
Note 3252433 patches a broken authentication vulnerability impacting the LockingService in AS Java. The note removes public access and applies the required authentication and authorization checks for the service.
Hot news notes 3245526 and 3283438 address high-risk vulnerabilities in SAP BusinessObjects Business Intelligence (BOBJ). Note 3245526 fixes a code injection vulnerability in the Central Management Console (CMC). The note removes the ‘Use Impersonation’ option from the CMC and introduces authorization checks for scheduling program objects. Note 3283438 fixes an OS command execution vulnerability in the Adaptive Job Server. Workarounds are detailed in the note including unchecking the options Run scripts/binaries and Run Java programs in the CMC, and disabling the rexecd service.
Notes 3294595 and 3302162 patch directory traversal vulnerabilities in NetWeaver Application Server ABAP (AS ABAP). The vulnerabilities can be exploited to overwrite system files and trigger a denial of service.