SAP Security Notes, November 2021
Hot news note 3089831 was updated for a SQL Injection vulnerability in SAP NZDT Mapping Table Framework. SAP NZDT (Near Zero Downtime Technology) is a service that supports system conversion with minimal downtime. The vulnerability could enable attackers to access backend databases by executing malicious queries or inject code through vulnerable NZDT function modules. The automatic corrections applied through the note deactivate some of the affected function modules and deactivates the import parameter for other function modules. As a result, the SAP Test Data Migration Server will no longer be usable after applying the fix. A workaround is included in the note if the fix cannot be applied. This will block external calls to the relevant function modules using Unified Connectivity (UCON). However, the function modules may still be called by local users with sufficient privileges.
Hot news note 3099776 patches a missing authorization check in the ABAP Platform Kernel. The vulnerability could be exploited to escalate privileges and access connected systems through RFC or HTTP connections. The recommended SP Stack Kernels in the note should be installed to apply a TCODE check that addresses the vulnerability.
Note 2827086 provides corrections for multiple vulnerabilities affecting SAP Forecasting and Replenishment for Retail in SAP Supply Chain Management (SCM). This includes memory corruption and denial of service.
Note 2971638 removes hardcoded credentials for CA Introscope Enterprise Manager in SAP Solution Manager and SAP Focused Run. Manual steps are also included in the note for updating the credentials.
Note 3110328 applies search restrictions to resolve a missing authorization check in the B2B Accelerator of SAP Commerce that could lead to an escalation of privileges.