SAP^® and Oracle^® Security Advisories

Impact On Business A high-privileged SAP JAVA NetWeaver user is able to abuse an XXE vulnerability with the goal of reading files from the OS (compromising confidentiality) and/or making system processes crash (compromising availability). Affected Components Description The ESP framework is a framework used inside SAP JAVA NetWeaver. Due to being part of this foundational…

Impact On Business By abusing a Code Injection in SAP MII, an authenticated user with SAP XMII Developer privileges could execute code (including OS commands) on the server. Thus, they would be able to do everything a SAP Administrator is able to do. Some possible actions are: Access to the SAP databases and read/modify/erase any…

Impact On Business Any authenticated user of the Solution Manager is able to craft/ upload and execute EEM scripts on the SMDAgents affecting its Integrity, Confidentiality and Availability. Affected Components Description SAP SolMan 7.2 introduces a bunch of web services which run on top of the SAP Java NetWeaver stack. The affected versions have a…

Impact On Business Under certain circumstances, an attacker might be able to steal a cookie from the application. It may impact the confidentiality of the service. Affected Components Description SAP Solution Manager 7.2 (Check SAP Note 2938650 for detailed information on affected releases) Vulnerability Details An open redirect vulnerability exists in the application E2E Trace…

Impact On Business Any authenticated user of the Solution Manager is able to either perform a Denial of Service or read sensitive information from every SMD Agent connected to the targeted SolMan. Affected Components Description SAP SolMan 7.2 introduces a bunch of web services which run on top of the SAP Java NetWeaver stack. The…

Impact On Business Unauthenticated attackers can bypass the authentication if the default passwords for Admin and Guest users have not been changed by the administrator. This may impact the confidentiality of the service. Affected Components Description CA Introscope Enterprise Manager is part of CA APM Introscope(R), an application performance management solution to manage Java Application…

Impact On Business A malicious unauthenticated user could abuse the lack of authentication check on SAP Java P2P cluster communication, in order  to connect to the respective TCP ports and perform different privileged actions, such as: Installing new trusted SSO providers Changing database connection parameters Gaining access to configuration information Modify network configurations and potentially…

Impact On Business Due to a missing authorization check in SAP Solution Manager LM-SERVICE component a remote authenticated attacker could be able to execute privileged actions in the affected system, including the execution of operating system commands. Affected Components Description A core component of the SAP Solution Manager, LM-SERVICE is affected by this vulnerability. For…

Impact On Business The vulnerability can allow an attacker to inject OS commands and thus gain complete control of the host running the CA Introscope Enterprise Manager. That exploit can be started remotely and does not require authentication or any privileges. Affected Components Description CA Introscope Enterprise Manager is part of CA APM Introscope(R), an…