Description:

SAP has released a security update to address multiple vulnerabilities in the following products:

• SAP Solution Manager (User Experience Monitoring)
  • 7.2
• SAP Business Client
  • 6.5
• SAP Marketing (Mobile Channel Servlet)
  • 130, 140, 150
• SAP NetWeaver (ABAP Server) and ABAP Platform
  • 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755
• SAP Netweaver AS ABAP
  • 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754
• BANKING SERVICES FROM SAP 9.0(Bank Analyzer)
  • 500
• S/4HANA FIN PROD SUBLDGR
  • 100
• SAP Commerce
  • 6.7, 1808, 1811, 1905, 2005
• SAP NetWeaver AS ABAP (BSP Test Application)
  • 700,701,702,730,731,740,750,751,752,753,754,755
• SAPUI5 (UISAPUI5_JAVA)
  • 7.50
• SAPUI5 (SAP_UI)
  • 750, 751, 752, 753, 754, 755
• SAPUI5 (UI_700)
  • 200
• SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE)
  • 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
• SAP NetWeaver AS JAVA (IIOP service) (CORE-TOOLS)
  • 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
• SAP NetWeaver (Knowledge Management)
  • 7.30,7.31,7.40,7.50
• SAP Business Objects Business Intelligence Platform (BI Workspace)
  • 4.1, 4.2
• SAPFiori(Launchpad)
  • 750, 752, 753, 754, 755
• SAP 3D Visual Enterprise Viewer
  • 9
• AP Adaptive Server Enterprise
  • 15.7, 16.0

Threats:

Attacker could exploit these vulnerabilities by doing the following:

• Improper input validation.
• Missing authentication check.
• Cross-site scripting (XSS) attack.
• Code injection.

Best practice and Recommendations:

The CERT team encourages users to review SAP security advisory and apply the necessary updates:

• https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700