SAP Security Notes, October 2022
Hot news note 3239152 patches a critical URL redirection vulnerability in SAP Commerce Cloud. The vulnerability can be exploited to manipulate URLs and redirect users to logon pages controlled by threat actors. User submissions served by attacker-controlled servers can be used to steal logon credentials and hijack accounts. Note 3239152 includes a fix for specific versions of SAP Commerce Cloud. Workarounds are also detailed in the note if the patches cannot be applied. This includes removing the OAuth extension and URL filtering. The latter can be implemented using website redirects in SAP Commerce. However, there are known side-effects with the workarounds. For example, the OAuth extension is required by SmartEdit Module, Assisted Service Module, and other extensions. OAuth may also be required for integrations.
Note 3242933 provides a fix for critical directory traversal vulnerability in SAP Manufacturing Execution that could lead to information disclosure. The effected plugins are Work Instruction Viewer (WI500) and Visual Test and Repair (MODEL_VIEWER).
Note 3229132 patches an information disclosure vulnerability in Program Objects within SAP BusinessObjects Business Intelligence Platform that could be exploited to compromise OS credentials. The credentials are exposed in clear-text to administrators.
Note 3232021 deals with a buffer overflow vulnerability in SAP SQL Anywhere and SAP IQ that can be used to trigger a denial of service in database servers.
Notes 3245929 and 3245928 patch multiple high-risk vulnerabilities in SAP Visual Enterprise Viewer.