SAP Security Notes, October 2020
Hot news note 2969828 patches a OS command injection vulnerability in CA Introscope Enterprise Manager (EM) installed in SAP Solution Manager and SAP Focused Run. EM can be used to monitor the performance of Java applications. The note includes a patch for EM 10.7 and 10.5 SP2 patch 2 to remove the vulnerability. Earlier versions need to be upgraded to version 10.5.2.113 before applying the patch. The EM service can be stopped in systems if the patch can not be immediately applied. Stopping the service will not impact the Cybersecurity Extension for SAP Solution Manager since the service is not required by the extension.
Note 2969457 removes a missing XML Validation in Compare Systems within SAP NetWeaver that can be exploited to read arbitrary OS files and provoke a denial of service.
Note 2972661 patches a high priority reflected cross site scripting vulnerability in the SAP NetWeaver Composite Application Framework.
Notes 2941315 and 2898077 contain important updates for a missing authentication check in SAP NetWeaver AS JAVA and information disclosure in SAP Business Objects Business Intelligence Platform, respectively.