Hot News note 2973735 patches a code injection vulnerability in SAP AS ABAP and S/4 HANA. The note introduces an authorization check for object S_DMIS to control the execution of a vulnerable function module by RFC. The function module is used for checking the syntax for a table selection query. Attackers can abuse the function module to inject malicious ABAP code that could lead to the complete compromise of the affected system.
Note 2982840 addresses multiple critical vulnerabilities in SAP Data Services, including remote execution and denial of service.
Finally, note 2979062 deals with a privilege escalation vulnerability in the UDDI Server of SAP NetWeaver Application Server for Java. The vulnerability could be exploited to execute arbitrary OS commands and compromise the operating system.