SAP Security Notes, November 2023
Hot News note 3355658 patches a critical missing authentication check vulnerability in SAP Business One. The vulnerability has a CVSS Base Score of 9.6/10 with a high impact to confidentiality, integrity and availability. SAP Business One allows read and write-access to SMB shared folders to anonymous users. The impacted components are the Crystal Reports (CR) shared folder, Traditional Mobile app (attachment path), RSP (log folder logic), Job Service and BAS (file upload folder). The correction in the note modifies SMB shared folder permissions to only grant read and write access to authenticated and authorized users.
Note 2494184 was updated for a Cross-Site Request Forgery (CSRF) vulnerability impacting multiple SAP Sybase solutions including ASE, Event Stream Processor IQ, Replication Server, and SQL Anywhere.
Note 3362849 addresses an information disclosure vulnerability impacting the Internet Communication Manager (ICM) in SAP NetWeaver Application Server ABAP. The required kernel patches to correct the vulnerability are specified in the note.
Note 3366410 patches an information disclosure vulnerability in SAP NetWeaver Application Server Java that allows attackers to brute force the Java Logon application to discover legitimate user IDs. The vulnerability impacts version 7.50 of the J2EE Engine Server Core.