SAP Security Notes, October 2021
Hot News note 3097887 patches a broken authorization check in SAP NetWeaver AS ABAP and ABAP Platform. The vulnerability could be exploited by attackers with developer or administrator rights to transfer malicious code to vulnerable systems. This can be performed via a LEAVE PROGRAM statement in a specific report within the software logistics system. Note 3097887 deletes the relevant report. There is no workaround. The vulnerability impacts all versions of SAP Basis from 700 to 756.
Hot News note 3101406 deals with an XML External Entity injection vulnerability in SAP Environmental Compliance. The vulnerability impacts the XMLBeans open source software bundled in Environmental Compliance to support data import functionality. The note updates some software components to secure versions and replaces other components with closed-source software. This highlights the risk of using open source software in commercial software.
Other important notes include 2900326 which removes a missing authorization check in Payment Engine and note 3077635 which deals with a Denial of Service vulnerability in mobile clients for SAP SuccessFactors.