SAP^® and Oracle^® Security Advisories

HTTP Request Smuggling in SAP Web Dispatcher Impact On Business An unauthenticated attacker with access to the P4 port of a java-based SAP solution, would be able to read stored credential in plain text, execute RFC function implemented by the targeted system or even create, modify or delete stored connections. As a consequence, the system…

Unauthenticated SQL Injection and DoS in SeachFacade P4 service Impact On Business An unauthenticated attacker with access to the P4 port of a java-based SAP solution, would be able to read any table from the database, modify sensitive information and/or cause a Denial of Service against the targeted system. As a consequence, sensitive information could be…

Unauthenticated SQL Injection and DoS in JobBean P4 service Impact On Business An unauthenticated attacker with access to the P4 port of a java-based SAP solution, would be able to read any table from the database, modify sensitive information and/or cause a Denial of Service against the targeted system. As a consequence, sensitive information could be…

IMPACT ON BUSINESS This XSLT vulnerability allows an unprivileged authenticated attacker to execute an OS command as SAP administrator OS-level (sidadm). This results in a full compromise of the confidentiality, integrity and availability of the system. AFFECTED COMPONENTS DESCRIPTION SAP Enterprise Portal is a web frontend component for SAP Netweaver. Affected components: ENGINEAPI 7.10 ENGINEAPI…

Note: Please bear in mind that all the information provided here is subject to change due to how quickly new attacks and evasions for the proposed mitigations are found. Information on this page last updated 10 AM EST on 27 December 2021 UPDATES 12/27/2021: UPDATES 12/17/2021: Introduction On December 9th, a critical vulnerability (CVE-2021-44228) was…

Impact On Business The vulnerability can allow an attacker to inject OS commands and thus gain complete control of the host running the CA Introscope Enterprise Manager. That exploit can be started remotely and does not require authentication or any privileges. Affected Components Description CA Introscope Enterprise Manager is part of CA APM Introscope(R), an…

Impact On Business A malicious unauthenticated user could abuse the lack of authentication check on SAP Java P2P cluster communication, in order  to connect to the respective TCP ports and perform different privileged actions, such as: Installing new trusted SSO providers Changing database connection parameters Gaining access to configuration information Modify network configurations and potentially…

Impact On Business Due to a missing authorization check in SAP Solution Manager LM-SERVICE component a remote authenticated attacker could be able to execute privileged actions in the affected system, including the execution of operating system commands. Affected Components Description A core component of the SAP Solution Manager, LM-SERVICE is affected by this vulnerability. For…

Impact On Business By abusing a Code Injection in SAP MII, an authenticated user with SAP XMII Developer privileges could execute code (including OS commands) on the server. Thus, they would be able to do everything a SAP Administrator is able to do. Some possible actions are: Access to the SAP databases and read/modify/erase any…