Description:

SAP has released a security update to address multiple vulnerabilities in the following products:

• SAP Solution Manager (User Experience Monitoring)
  • 9.7, 10.1, 10.5, 10.7
• SAP Business Client
  • 6.5
• SAP NetWeaver (ABAP Server) and ABAP Platform
  • 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755
• SAP NetWeaver Composite Application Framework
  • 7.20, 7.30, 7.31, 7.40, 7.50
• SAP NetWeaver (Compare Systems)
  • 7.20, 7.30, 7.31, 7.40, 7.50
• CA Introscope Enterprise Manager (Affected products: SAP Solution Manager and SAP Focused Run)
  • 9.7, 10.1, 10.5, 10.7
• SAP NetWeaver AS JAVA
  • (ENGINEAPI) 7.10, 7.10;
  • WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
  • J2EE-FRMW 7.10, 7.11
• SAP Business Objects Business Intelligence Platform
  • 4.1, 4.2
• SAP Landscape Management
  • 3.0
• SAP Adaptive Extensions
  • 1.0
• SAP NetWeaver Application Server Java
  • 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
• SAP 3D Visual Enterprise Viewer
  • 9
• SAP Commerce Cloud
  • 1808, 1811, 1905, 2005
• SAP Business Planning and Consolidation
  • 750, 751, 752, 753, 754, 755, 810, 100, 200
• SAP ERP (HCM Travel Management)
  • 600, 602, 603, 604, 605, 606, 607, 608
• SAP Commerce Cloud
  • 1808, 1811, 1905, 2005
• SAP NetWeaver (DI Design Time Repository)
  • 7.11, 7.30, 7.31, 7.40, 7.50
• SAP NetWeaver Application Server Java
  • 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
• SAP NetWeaver Enterprise Portal (Fiori Framework Page)
  • 7.50, 7.31, 7.40
• SAP NetWeaver Application Server ABAP (POWL test application)
  • 710, 711, 730, 731, 740, 750
• SAP Banking Services
  • 500
• SAP Commerce Cloud
  • 1808, 1811, 1905, 2005

Threats:

Attacker could exploit these vulnerabilities by doing the following:

• Unauthorized disclosure of information.
• Cross-site scripting (XSS) attack.

Best practice and Recommendations:

The CERT team encourages users to review SAP security advisory and apply the necessary updates:

• https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196