Description:

SAP has released security update to address multiple vulnerabilities in the following products:

• SAP Application Server ABAP
  • 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740
• SAP Business Client
  • 6.5
• SAP Business Objects Business Intelligence Platform
  • 1.0, 2.0, 2.x, 4.2 and prior 4.1, 4.2 and 4.3
• SAP Adaptive Server Enterprise (Backup Server)
  • 16.0
• SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer)
  • 4.1, 4.2
• SAP Adaptive Server Enterprise (Cockpit)
  • 16.0
• SAP Adaptive Server Enterprise
  • 16.0, 15.7
• SAP Adaptive Server Enterprise (XP Server on Windows Platform)
  • 15.7, 16.0
• SAP Master Data Governance
  • S4CORE 101; S4FND 102, 103, 104; SAP_BS_FND 748
• SAP Adaptive Server Enterprise (Web Services)
  • 15.7, 16.0
• SAP Business Client
  • 7.0
• SAP Enterprise Threat Detection
  • 1.0, 2.0
• SAP Master Data Governance
  • 748, 749, 750, 751, 752, 800, 801, 802, 803, 804
• SAP Business Objects Business Intelligence Platform (CMC and BI launchpad)
  • 4.2
• SAP Plant Connectivity
  • 15.1, 15.2, 15.3, 15.4
• SAP NetWeaver AS ABAP (Web Dynpro ABAP)
  • SAP_UI 750, 752, 753, 754; SAP_BASIS 700, 710, 730, 731, 804
• SAP Identity Management
  • 8.0

Threats:

Attacker could exploit these vulnerabilities by doing the following:

• Denial of Service (DoS)
• SQL Injection
• Code Injection
• Information Disclosure
• Cross-site scripting (XSS) attack.

Best practice and Recommendations:

The CERT team encourages users to review SAP security advisory and apply the necessary updates:

• https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222