SAP Security Notes, November 2020
Hot News note 2973735 patches a code injection vulnerability in SAP AS ABAP and S/4 HANA. The note introduces an authorization check for object S_DMIS to control the execution of a vulnerable function module by RFC. The function module is used for checking the syntax for a table selection query. Attackers can abuse the function module to inject malicious ABAP code that could lead to the complete compromise of the affected system.
Note 2982840 addresses multiple critical vulnerabilities in SAP Data Services, including remote execution and denial of service.
Hot News notes 2985866 and 2890213 remove missing authentication checks in the LM-SERVICE within the Java stack of SAP Solution Manager.
Finally, note 2979062 deals with a privilege escalation vulnerability in the UDDI Server of SAP NetWeaver Application Server for Java. The vulnerability could be exploited to execute arbitrary OS commands and compromise the operating system.