Description:

SAP has released a security update to address vulnerabilities in the following products:

• SAP Adaptive Server Enterprise; Version - 16.0
• SAP Banking Services (Generic Market Data); Versions - 400, 450, 500
• SAP Business Objects Business Intelligence Platform (Central Management Console); Versions - 4.2, 4.3
• SAP Business Objects Business Intelligence Platform; Versions - 4.2, 4.3
• SAP Commerce; Versions - 6.7, 1808, 1811, 1905, 2005
• SAP Data Intelligence; Version – 3
• SAP ERP (HCM Travel Management); Versions - 600, 602, 603, 604, 605, 606, 607, 608
• SAP NetWeaver (ABAP Server) and ABAP Platform; Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755
• SAP NetWeaver (ABAP Server) and ABAP Platform; Versions - 702, 730, 731, 740, 750, 751, 752, 753, 754, 755
• SAP NetWeaver (Knowledge Management); Versions - 7.30, 7.31, 7.40, 7.50
• SAP NetWeaver AS JAVA (ENGINEAPI); Versions - 7.10, 7.10
• SAP NetWeaver AS JAVA (J2EE-FRMW); Versions - J2EE-FRMW 7.10, 7.11
• SAP NetWeaver AS JAVA (LM Configuration Wizard); Versions - 7.30, 7.31, 7.40, 7.50
• SAP NetWeaver AS JAVA (SERVERCORE); Versions - 7.10, 7.10, 7.11
• SAP NetWeaver AS JAVA (WSRM); Versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
• SAP S/4 HANA (Fiori UI for General Ledger Accounting); Versions - 103, 104
• SAPUI5 (SAP_UI); Versions - 750, 751, 752, 753, 754, 755
• SAPUI5 (UI_700); Version – 200
• SAPUI5 (UISAPUI5_JAVA); Version - 7.50

Threats:

Attacker could exploit these vulnerabilities by doing the following:

• Unauthorized disclosure of information
• Code injection
• Cross-site scripting (XSS)
• Bypass of a protection mechanism

Best practice and Recommendations:

The CERT team encourages users to review SAP security advisory and apply the necessary updates:

• https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345