Description:

SAP has released a security updates to address multiple vulnerabilities in the following products:

• SAP Business Client
  • 6.5, 7.0, 7.70
• SAP NetWeaver Application Server Java (JMS Connector Service)
  • 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
• SAP Business One
  • 10.0
• SAP S/4HANA
  • 1511, 1610, 1709, 1809, 1909, 2020, 2021
• SAP NetWeaver (Visual Composer 7.0 RT)
  • 7.30, 7.31, 7.40, 7.50
• SAP NetWeaver Knowledge Management XML Forms
  • 7.10, 7.11, 7.30, 7.31, 7.40, 7.50
• SAP Contact Center
  • 700
• SAP Web Dispatcher
  • WEBDISP - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83
• SAP CommonCryptoLib
  • 8.5.38 or lower
• SAP Analysis for Microsoft Office
  • 2.8
• SAP BusinessObjects Business Intelligence Platform (BI Workspace)
  • 420
• SAP ERP Financial Accounting (RFOPENPOSTING_FR)
  • SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105
• SAP NetWeaver Enterprise Portal
  • 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
• SAP 3D Visual Enterprise Viewer
  • 9.0

Threats:

Attacker could exploit these vulnerabilities by doing the following:

• Cross-site scripting (XSS)
• Missing authorization check
• Code Injection
• SQL Injection
• Unrestricted file upload

Best practice and Recommendations:

The CERT team encourages users to review SAP security advisory and apply the necessary updates:

• https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405