Description:

SAP has released a security updates to address multiple vulnerabilities in the following products:

• SAP Business Client
  • 6.5
• SAP Business Warehouse
  • 700, 701, 702 ,710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 782 
• SAP NetWeaver AS JAVA
  • 7.20, 7.30, 7.31, 7.40, 7.50
• SAP NetWeaver AS Java (HTTP Service)
  • 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
• SAP NetWeaver AS ABAP
  • 740, 750, 751, 752, 753, 754, 755
• SAP NetWeaver AS JAVA (Key Storage Service)
  • 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50
• Automated Note Search Tool (SAP Basis)
  • 7.0, 7.01,7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54
• SAP Commerce Cloud
  • 1808, 1811, 1905, 2005, 2011
• SAP BusinessObjects Business Intelligence platform (Web Intelligence HTML interface)
  • 410, 420
• SAP Master Data Governance
  • 748, 749, 750, 751, 752, 800, 801, 802, 803, 804
• SAP GUI FOR WINDOWS
  • 7.60
• SAP NetWeaver Master Data Management
  • 7.10, 7.10.750, 710
• SAP 3D Visual Enterprise Viewer
  • 9.0
• SAP Banking Services (Generic Market Data)
  • 400, 450, 500
• SAP EPM ADD-IN
  • 2.8, 1010

Threats:

An attacker could exploit these vulnerabilities by doing the following:

• Code injection
• Denial of Service (DoS)
• Information Disclosure
• SQL Injection
• Missing authentication
• Missing authorization check
• Cross-site scripting (XSS) attack

Best practice and Recommendations:

The CERT team encourages users to review SAP security advisory and apply the necessary updates:

• https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476