Description:

SAP has released security update to address multiple vulnerabilities in the following products:

• SAP Solution Manager (User Experience Monitoring)
  • Version 7.2
• SAP Solution Manager (Diagnostics Agent)
  • Versions 7.2
• SAP Business Client
  • Version 6.5
• SAP NetWeaver UDDI Server (Services Registry)
  • Versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
• SAP Business Objects Business Intelligence Platform (Crystal Reports)
  • Versions 4.1, 4.2
• SAP Disclosure Management
  • Version 10.1
• SAP BusinessObjects Mobile (MobileBIService)
  • Version 4.2
• SAP MaxDB (liveCache)
  • Versions - 7.8, 7.9
• SAP Commerce Cloud (Testweb Extension)
  • Versions 6.6, 6.7, 1808, 1811, 1905
• SAP NetWeaver Application Server Java (User Management Engine)
  • Versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
• SAP Commerce Cloud (SmartEdit Extension)
  • Versions 6.6, 6.7, 1808, 1811
• SAP ERP (EAPPGLO)
  • Versions 607
• SAP Enable Now
  • Before Version 1911 
• SAP Fiori Launchpad
  • Versions 753, 754
• SAP Fiori Launchpad
  • Version 1.0
• SAP Treasury and Risk Management (Transaction Management)
  • Versions EA-FINSERV 600, 603, 604, 605, 606, 616, 617, 618, 800, S4CORE 101, 102, 103, 104
• SAP Enable Now
  • Before Version 1908 

Threats:

Attacker could exploit these vulnerabilities by doing the following:

• Missing Authorization Check.
• Denial of service (DoS) attack.
• Cross-site scripting (XSS) attack.

Best practice and Recommendations:

The CERT team encourages users to review SAP security advisory and apply the necessary updates:

• https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812