SAP^® and Oracle^® Security Advisories

Multiple denial of service vulnerabilities in CL_HTTP_EXT_ECHO handler Impact on Business By exploiting any of these vulnerabilities, an attacker, authenticated as a non-administrative user, has the ability to significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability. Vulnerability Details The HTTP requests…

Arbitrary execution of RFC functions through BBP_PDH_PO_RESUBMIT Impact on Business This vulnerability allows an attacker to execute any function that exists in the system, therefore if there is, for example, a function that can delete/overwrite files or execute operating system commands, this could be affected from the business to a denial of service. Vulnerability Details…

Arbitrary execution of RFC functions through SDF-CCM_AGS_CC_SIM_API_LOAD Impact on Business This vulnerability allows an attacker to execute any function that exists in the system, therefore if there is, for example, a function that can delete/overwrite files or execute operating system commands, this could be affected from the business to a denial of service. Vulnerability Details…

Missing Authorization check in SAP ERP Defence Forces and Public Security Impact on Business Successful attack can lead to discovery assignment between storage location and warehouse number. Vulnerability Details The /ISDFPS/ISDFPS/WM_LES function group, inside the /ISDFPS/MM package, implements a remote-enabled function module called /ISDFPS/GET_LGNUM_RFC which does not make any authorization check. Any user with enough…

Information Disclosure vulnerability in SAP NetWeaver – WSRM Impact on Business Successful attacks lead to information disclosure as well as extend the scope and knowledge for an attacker. Vulnerability Details The servlet tc~esi~esp~wsrm~itsam~jmx in SAP XI/PI/PO, allows unauthenticated attackers to gather detailed information on target OS, SID and hostname. Solution SAP has released SAP Note…

Information Disclosure vulnerability in SAP NetWeaver Process Integration – Support Web Pages Impact On Business Successful attacks lead to information disclosure as well as extend the scope and knowledge for an attacker. Vulnerability Details The application com.sap.xi.repository in SAP XI/PI/PO, allows unauthenticated attackers to gather detailed information on target versions. Solution SAP has released SAP…

XXE vulnerability in SAP NetWeaver AS Java – Guided Procedures Impact On Business Successful attacks impact the confidentiality of the SAP Netweaver JAVA as well as being able to perform SSRF or retrieve files. Vulnerability Details The servlet caf~eu~gp~model~iforms~eap in SAP Netweaver JAVA, resolving external entities during the parsing of the fromprocessor XML response. Attackers…

IS-OIL – OS Command Injection FM OIB_QCI_SERVER Impact On Business Successful attack could allow an attacker to execute blind operating system command as SAP System Administrator user (sidadm). Lead to full compromise the SAP Netweaver System. Vulnerability Details An OS command injection vulnerability exists in FM OIB_QCI_SERVER, delivered by OIB_QCI package and provided by IS-OIL…

Memory Corruption vulnerability in SAP CommonCryptoLib Impact On Business A manipulated data package with a corrupted SNC NAME ASN.1 structure can lead to a parser error and a crash of the application. Vulnerability Details A memory corruption vulnerability exists for sec1_gss_import_name() in libsapcrypto.so library. The function trusts the incoming size parameter for a specific option….