Description
Because the solution of note 2736825 has been overwritten in Kernel 7.45 and later by other functionality, new Patch Levels are required and defined in this SAP Security Note.
ABAP Server (used in SAP NetWeaver, Suite/ERP, and S/4HANA) does not sufficiently validate an XML document accepted from an untrusted source.
Some well-known impacts of Missing XML Validation vulnerability are –
- arbitrary files retrieval from the server
- denial-of-service conditions in successful exploits
Available fix and Supported packages
- KRNL64NUC | 7.49 | 7.49
- KRNL64UC | 7.49 | 7.49
- KRNL64UC | 7.53 | 7.53
- KRNL64UC | 7.73 | 7.73
- KERNEL | 7.49 | 7.49
- KERNEL | 7.53 | 7.53
- KERNEL | 7.73 | 7.73
- KERNEL | 7.77 | 7.77
- KERNEL | 7.78 | 7.78
- KERNEL | 7.79 | 7.79
- SAP KERNEL 7.49 64-BIT | SP815 | 000815
- SAP KERNEL 7.49 64-BIT UNICODE | SP815 | 000815
- SAP KERNEL 7.53 64-BIT | SP522 | 000522
- SAP KERNEL 7.53 64-BIT UNICODE | SP522 | 000522
- SAP KERNEL 7.73 64-BIT UNICODE | SP232 | 000232
- SAP KERNEL 7.77 64-BIT UNICODE | SP039 | 000039
- SAP KERNEL 7.78 64-BIT UNICODE | SP017 | 000017
- SAP KERNEL 7.79 64-BIT UNICODE | SP006 | 000006
Affected component
- BC-ABA-XML
ABAP XML processing
CVSS
Score: 6.5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/2870067
