SAP Security Notes, November 2019
Hot News Note 2839864 updates Note 2808158 for a high risk OS Command Injection vulnerability in the SAP Diagnostics Agent. The vulnerability exists within the OS Command Plugin of the Agent, accessible through transaction GPA_ADMIN and the OS Command Console. Note 2839864 provides a patch for the LM_SERVICE for Support Pack levels 6-9 of the Agent. For earlier versions, the commands.xml file must be updated with a new version. It is recommended to apply the setting ‘param=”false”‘ to block attackers from injecting commands into the file.
Note 2814007 includes Support Package patches for a missing XML Validation vulnerability in the HTML interface of Web Intelligence (WebI). WebI is a component of the SAP BusinessObjects Business Intelligence Platform. Successful exploitation of the vulnerability could lead attackers to read arbitrary files retrieval from servers or provoke a denial-of-service.
Note 2393937 delivers switchable authorization checks for remote-enabled function modules in SAP Internet Pricing and Configurator (IPC). Switchable authorization checks supplement checks performed using authorization object S_RFC. They are activated with transaction SACF.