SAP^® and Oracle^® Security Advisories

Information Disclosure vulnerability in SAP NetWeaver – WSRM Impact on Business Successful attacks lead to information disclosure as well as extend the scope and knowledge for an attacker. Vulnerability Details The servlet tc~esi~esp~wsrm~itsam~jmx in SAP XI/PI/PO, allows unauthenticated attackers to gather detailed information on target OS, SID and hostname. Solution SAP has released SAP Note…

Information Disclosure vulnerability in SAP NetWeaver Process Integration – Support Web Pages Impact On Business Successful attacks lead to information disclosure as well as extend the scope and knowledge for an attacker. Vulnerability Details The application com.sap.xi.repository in SAP XI/PI/PO, allows unauthenticated attackers to gather detailed information on target versions. Solution SAP has released SAP…

SAP Netweaver JAVA – Log viewer injection Impact On Business An unauthenticated attacker can use the login form to create additional information entries in SAP Log Viewer leading to obscure actions, complicate the log analysis as well as could break some automated log analyser tools. Vulnerability Details It is possible to inject “NewLine” characters in…

SAP Portal – Authenticated XXE in SystemFromParConverter Impact On Business Successful attacks impact the confidentiality of the SAP Portal. Vulnerability Details The web service com.sap.portal.ivs.systemlandscapeservice.SystemFromParConverter in SAP Portal resolving external entities during the parsing of the PAR file. Attackers could reference http requests or file access by new entities, making the parser load the result…

Cross-Site Scripting XSS vulnerability in SAP NetWeaver AS ABAP Impact On Business Impact depends on the victim’s privileges. In worst cases, a successful attack allows an attacker to hijack a session, or force the victim to perform undesired requests in the SAP system. Affected Components Description The SAP Host Agent can accomplish several life-cycle tasks…

SAP Netweaver ABAP – EPS_OPEN_INPUT_FILE path traversal Impact On Business An attacker with high level privileges can use a remote enabled function to read a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the confidentiality of the application. Affected Components Description SAP NetWeaver Application Server for ABAP provides both the…

SAP EA-DFPS – Syslog pollution Impact On Business By polluting the main SAP system logging, attacker could, among other things : Hide malicious activity Force the syslog to reach its limit then overwrite itself to remove activity Add false alert to create distraction Affected Components Description From the official SAP website. Due to the specific…

Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP Impact On Business Impact depends on the victim’s privileges. In most cases, a successful attack allows an attacker to hijack a session, or force the victim to perform an undesired request in SAP Netweaver ABAP. Affected Components Description SAP NetWeaver Application Server for ABAP provides…

SAP Host Agent – sapstartsrv – OOB memory access in MsIGetProfileValue Impact On Business Remotely exploitable, without authentication, attacker could perform DOS against all sapstartsrv service. Lead to direct impact on availability for this service and signifiant availability issues for the SAP system. Affected Components Description The SAP Host Agent can accomplish several life-cycle tasks…