SAP Environmental Compliance is susceptible to attacks on external XML entities using specially prepared XML input (“XML external entity injection”). Even SAP NetWeaver AS ABAP and the ABAP Platform have a dangerous vulnerability: attackers could smuggle malicious code into the system. This and other information on vulnerabilities in various products was brought together by SAP for the patch day in October. Admins should import the available updates as soon as possible.
The weaknesses in Environmental Compliance and NetWeaver are considered critical: They were assigned the CVSS scores 9.8 and 9.1 out of a possible 10, respectively. SAP rated another vulnerability as “High” (7.8). It is in the mobile “SAP SuccessFactors” application for Android and could be used to carry out denial-of-service attacks.
A complete overview of the aforementioned and several other security problems with “Medium” classification, along with information on vulnerable versions, is provided SAP’s Patchday Advisory for October 2021. As usual, it links so-called “Security Notes”, which can be viewed in the password-protected customer area and provide further information on available updates. The updates to earlier security notes mentioned in the advisory are also worth a look.