SAP Security Notes, March 2024
Hot news note 3425274 deals with a critical code injection vulnerability in applications developed with SAP Build Apps. The note recommends rebuilding applications with version 4.9.145 or later.
Hot news note 3433192 patches a code injection vulnerability in the Administrator Log Viewer plug-in of SAP NetWeaver AS Java. The plug-in allows threat actors with the Administrator role to upload potentially dangerous files that could be exploited to run arbitrary commands. The corrections included in the note block the upload of dangerous file types and supports virus scanning for uploaded files.
Note 3414195 includes support package patches for SAP BusinessObjects Business Intelligence (BOBJ) version 4.3 SP02 – 05 to address a high-priority path traversal vulnerability in the Central Management Console. The vulnerability arises from a version of Apache Struts included in BOBJ which is vulnerable to CVE-2023-50164.
Note 3410615 corrects a Denial-of-Service vulnerability impacting SAP HANA XS. The DoS can be triggered by a high volume of HTTP/2 requests. The HTTP/1 protocol is not affected. A workaround can be applied by setting the Web Dispatcher parameter icm/HTTP/support_http2 to false to disable support for the HTTP/2 protocol.
Note 3346500 was updated with revised solution information for a high-risk authentication vulnerability in SAP Commerce Cloud. The solution changes the default value of the property user.password.acceptEmpty to false to prevent the use of empty passphrases for user authentication.