SAP^® and Oracle^® Security Advisories

Denial of service (DOS) in SAP NetWeaver and ABAP platform! Impact on Business A remote attacker can block all work processes of an SAP System running on SAP NetWeaver AS ABAP. This has a very high negative impact on the availability of the system and its business  applications. Vulnerability Details A certain remote-enabled function module, from /SDF/EWA…

Missing Authorization Check in SAP Production and Revenue Accounting Impact on Business Successful exploitation of the vulnerability gives the attacker useful information that can be used in espionage campaigns or in building different exploitation chains based on it. This has a high impact on the confidentiality of the system and its business applications. Vulnerability Details A certain remote-enabled…

Insufficient Authorization Checks on RFC Enabled Function Module F4_DXFILENAME_TOPRECURSION Impact on Business A remote attacker can read all filenames of arbitrary directories from the file system of the application server. This has a low impact on the confidentiality of the system and its business applications. Vulnerability Details Remote-enabled function module F4_DXFILENAME_TOPRECURSION allows non-administrative authenticated users to read filenames…

Denial of service in ckass CL_APC_WS_EXT_PERFORMANCE_TEST Impact on Business By exploiting this vulnerability, an attacker, authenticated as a non-administrative user, has the ability to significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability. Vulnerability Details An attacker, authenticated as non-administrative user on…

Denial of Service in CL_HTTP_EXT_ERROR Impact on Business By exploiting this vulnerability, an attacker, authenticated as a non-administrative user, has the ability to significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability. Vulnerability Details The HTTP requests handler class CL_HTTP_EXT_ERROR allows non-administrative authenticated…

Reflected Cross Site Scripting in “bsp_vhelp” BSP Application Impact on Business By exploiting this vulnerability a remote attacker could trick users into clicking malicious links and depending on the level of protection that the browser provides, the attacker could potentially steal their user sessions or other information. Vulnerability Details Due to insufficient input sanitization, SAP…

Multiple denial of service vulnerabilities in CL_HTTP_EXT_ECHO handler Impact on Business By exploiting any of these vulnerabilities, an attacker, authenticated as a non-administrative user, has the ability to significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability. Vulnerability Details The HTTP requests…

Arbitrary execution of RFC functions through BBP_PDH_PO_RESUBMIT Impact on Business This vulnerability allows an attacker to execute any function that exists in the system, therefore if there is, for example, a function that can delete/overwrite files or execute operating system commands, this could be affected from the business to a denial of service. Vulnerability Details…

Missing Authorization check in SAP ERP Defence Forces and Public Security Impact on Business Successful attack can lead to discovery assignment between storage location and warehouse number. Vulnerability Details The /ISDFPS/ISDFPS/WM_LES function group, inside the /ISDFPS/MM package, implements a remote-enabled function module called /ISDFPS/GET_LGNUM_RFC which does not make any authorization check. Any user with enough…