SAP^® and Oracle^® Security Advisories

Impact On Business Under certain circumstances, an attacker might be able to steal a cookie from the application. It may impact the confidentiality of the service. Affected Components Description SAP Solution Manager 7.2 (Check SAP Note 2938650 for detailed information on affected releases) Vulnerability Details An open redirect vulnerability exists in the application E2E Trace…

Impact On Business Any authenticated user of the Solution Manager is able to either perform a Denial of Service or read sensitive information from every SMD Agent connected to the targeted SolMan. Affected Components Description SAP SolMan 7.2 introduces a bunch of web services which run on top of the SAP Java NetWeaver stack. The…

Impact On Business Unauthenticated attackers can bypass the authentication if the default passwords for Admin and Guest users have not been changed by the administrator. This may impact the confidentiality of the service. Affected Components Description CA Introscope Enterprise Manager is part of CA APM Introscope(R), an application performance management solution to manage Java Application…

Impact On Business A malicious unauthenticated user could abuse the lack of authentication check on SAP Java P2P cluster communication, in order  to connect to the respective TCP ports and perform different privileged actions, such as: Installing new trusted SSO providers Changing database connection parameters Gaining access to configuration information Modify network configurations and potentially…

Denial of Service in SAP NetWeaver AS ABAP Impact on Business A remote attacker can block all work processes of an SAP System running on SAP NetWeaver AS ABAP. This has a very high negative impact on the availability of the system and its business applications. Vulnerability Details The remote-enabled function module SPI_WAIT_MILLIS blocks a…

Impact On Business A malicious authenticated attacker could abuse some particular services exposed by the SAP JAVA Netweaver allowing them to execute commands in the underlying operating system. Affected Components Description SAP NetWeaver JAVA is a foundational layer which is used by several SAP products, such as: SAP Enterprise portal SAP Solution Manager SAP PI/PO…

Impact On Business A malicious authenticated attacker, with privileges of SAP SMD Agent access, could abuse some SAP Host Control functions’ lack of sanitization, in order to escalate its privileges and execute commands as root/system user. Affected Components Description The SAP Host Agent is an agent which allows controlling and monitoring SAP and non-SAP instances….

Impact On Business A malicious unauthenticated user could abuse the lack of authentication check on a particular web service exposed by default in SAP Netweaver JAVA stack, allowing them to fully compromise the targeted system. Affected Components Description LM CONFIGURATION WIZARD is a part of SAP NetWeaver JAVA which is a foundational layer used by…

Impact On Business A malicious unauthenticated user could abuse the lack of authentication check on SAP Solution Manager User-Experience Monitoring web service, allowing them to remotely execute commands in all hosts connected to the targeted SolMan through these SMD Agents. Affected Components Description SAP SolMan 7.2 introduces a bunch of web services which run on…