SAP^® and Oracle^® Security Advisories

IMPACT ON BUSINESS Successful attacks can lead to various types of exploitation like CSRF, html injection, data exfiltration, depending on the victim’s privileges. AFFECTED COMPONENTS DESCRIPTION SAP Enterprise Portal is a web frontend component for SAP Netweaver. Affected components: EP-RUNTIME 7.10 EP-RUNTIME 7.11 EP-RUNTIME 7.20 EP-RUNTIME 7.30 EP-RUNTIME 7.31 EP-RUNTIME 7.40 EP-RUNTIME 7.50 (Check SAP…

IMPACT ON BUSINESS This XSLT vulnerability allows an unprivileged authenticated attacker to execute an OS command as SAP administrator OS-level (sidadm). This results in a full compromise of the confidentiality, integrity and availability of the system. AFFECTED COMPONENTS DESCRIPTION SAP Enterprise Portal is a web frontend component for SAP Netweaver. Affected components: ENGINEAPI 7.10 ENGINEAPI…

IMPACT ON BUSINESS Impact depends on the victim’s privileges. In the worst case, a successful attack allows an attacker to hijack an administrator session and perform actions like exfiltrate data, change data or shutdown the Portal. AFFECTED COMPONENTS DESCRIPTION SAP Enterprise Portal is a web frontend component for SAP Netweaver. Affected components: EP-RUNTIME 7.30 EP-RUNTIME…

IMPACT ON BUSINESS Impact depends on the victim’s privileges. In the worst case, a successful attack allows an attacker to hijack an administrator session and perform actions like exfiltrate data, change data or shutdown the Portal. AFFECTED COMPONENTS DESCRIPTION SAP Enterprise Portal is a web frontend component for SAP Netweaver. Affected components: EP-RUNTIME 7.10 EP-RUNTIME…

Note: Please bear in mind that all the information provided here is subject to change due to how quickly new attacks and evasions for the proposed mitigations are found. Information on this page last updated 10 AM EST on 27 December 2021 UPDATES 12/27/2021: UPDATES 12/17/2021: Introduction On December 9th, a critical vulnerability (CVE-2021-44228) was…

Impact On Business An unauthenticated attacker without specific knowledge of the system can send a specially crafted packet over a network which will trigger an internal error in the system causing the system to crash and rendering it unavailable. Affected Components Description The SAP dispatcher service is part of SAP Kernel. Mandatory, it manages, gathers…

Impact On Business An unauthenticated attacker without specific knowledge of the system can send a specially crafted packet over a network which will trigger an internal error in the system causing the system to crash and rendering it unavailable. Affected Components Description The SAP IGS is a widely-used, server-based engine for generating graphical and non-graphical…

Impact On Business An unauthenticated attacker without specific knowledge of the system can send a specially crafted packet over a network which will trigger an internal error in the system causing the system to crash and rendering it unavailable. Affected Components Description The SAP Gateway server is the component that manages the communication between the…

Impact On Business A high-privileged SAP JAVA NetWeaver user is able to abuse an XXE vulnerability with the goal of reading files from the OS (compromising confidentiality) and/or making system processes crash (compromising availability). Affected Components Description The ESP framework is a framework used inside SAP JAVA NetWeaver. Due to being part of this foundational…