Advisory
On 09.08.2022 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP GUI / Frontend.
SAP Note 3156484 addresses "Information Disclosure vulnerability in SAP Business Client" to prevent insufficient security function with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specification
Due to incorrect certificate validation, SAP Business Client allows an authenticated attacker to access information that would otherwise be restricted.Solution
SAP Business Client can now be switched to a more strict mode, where no certificate errors are omitted.
- 9.0 [CVE-2023-0014] Capture-replay vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
- 8.5 [CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation
- 6.7 [CVE-2022-35295] Privilege Escalation Vulnerability in SAPOSCOL on Unix
- 6.3 [CVE-2021-21472] Server password not set during installation of SAP NetWeaver Master Data Management 7.1
- 5.4 [CVE-2020-6178] Insufficient session expiration in SAP Enable Now Manager