SAP Security Notes, March 2022
Note 3123396 patches SAP NetWeaver Application Server ABAP and the Web Dispatcher for CVE-2022-22536. This is related to the ICMAD (Internet Communication Manager Advanced Desync) vulnerability that was the subject of alerts from multiple threat intelligence agencies including CISA and CERT-EU. ICMAD is a memory corruption vulnerability that can be exploited through a single HTTP […]
SAP Security Notes, February 2022
The central note 3131047 was updated with the addition of security notes 3142773 and 3139893 for the critical remote code execution vulnerability in the Apache Log4J 2 component. The new notes patch Log4Shell in SAP Commerce and SAP Dynamic Authorization Management and include manual procedures to apply both patches and workarounds. Note 3140940 patches a […]
SAP Security Notes, January 2022
Multiple Hot News notes were released in January as part of SAP’s continued efforts to patch solutions impacted by the critical Log4Shell vulnerability. This includes Process Orchestration (note 3130521), Data Intelligence (3130920) and Business One (3131740). The central note 3131047 consolidates patches for the remote code execution vulnerability in the vulnerable Apache Log4j 2 component. […]
SAP Security Notes, December 2021
The central security note 3131047 consolidates Log4Shell patches for SAP products. Log4JShell is regarded as one of the most dangerous security vulnerabilities in decades. It can be exploited remotely with minimal complexity and without authentication to execute arbitrary code that could lead to the complete compromise of vulnerable applications. Log4Shell impacts Log4J, a widely installed […]
SAP Security Notes, November 2021
Hot news note 3089831 was updated for a SQL Injection vulnerability in SAP NZDT Mapping Table Framework. SAP NZDT (Near Zero Downtime Technology) is a service that supports system conversion with minimal downtime. The vulnerability could enable attackers to access backend databases by executing malicious queries or inject code through vulnerable NZDT function modules. The […]
SAP Security Notes, October 2021
Hot News note 3097887 patches a broken authorization check in SAP NetWeaver AS ABAP and ABAP Platform. The vulnerability could be exploited by attackers with developer or administrator rights to transfer malicious code to vulnerable systems. This can be performed via a LEAVE PROGRAM statement in a specific report within the software logistics system. Note […]
SAP Security Notes, September 2021
Hot news note 3078609 patches a missing authorization check in the JMS Connector Service of SAP NetWeaver Application Server for Java. The vulnerability could be exploited to execute arbitrary code in the system remotely and without authentication. Hence, the note carries the maximum CVSS score of 10/10. A fix is included in the note but […]
SAP Security Notes, August 2021
Hot news note 3072955 patches a Server Side Request Forgery (SSRF) vulnerability in the Component Build Service of SAP NetWeaver Development Infrastructure (NWDI). The Component Build Service includes a vulnerable servlet that could be targeted to perform proxy attacks. The vulnerability has a CVSS score of 9.9/10 for NWDI installations exposed to the internet. The […]
SAP Security Notes, July 2021
Hot News Note 3007182 contains updated corrections for a broken authentication vulnerability in the SAP NetWeaver AS ABAP and ABAP Platform. The corrections improve the ability to distinguish between internal and external RFC and HTTP connections. This protects against external threat actors using credentials for internal communications. Note 3007182 includes kernel patches for multiple kernel […]
SAP Security Notes, June 2021
Hot News note 3040210 patches a critical remote code execution vulnerability in Source Rules of SAP Commerce. The vulnerability affects both on-premise installations of SAP Commerce and SAP Commerce Cloud in the Public Cloud. SAP Commerce Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to […]