Martin Gallo

Name of the Vulnerable Software and Affected Versions: SAP NetWeaver versions 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04 Description: A Buffer Overflow issue exists in the Message Server service, specifically in the MsJ2EE AddStatistics() function, when it processes specially crafted SAP Message Server packets sent to remote TCP ports. This could allow a remote malicious user to execute arbitrary code. Recommendations: For SAP NetWeaver version 2004s, update to a version that includes the fix for this issue. For SAP NetWeaver version 7.01 SR1, update to a version that includes the fix for this issue. For SAP NetWeaver version 7.02 SP06, update to a version that includes the fix for this issue. For SAP NetWeaver version 7.30 SP04, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the MsJ2EE AddStatistics() function in the Message Server service until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SAP SAPCAR version 721.510 **Description** The issue is a Heap Based Buffer Overflow that can be exploited with a crafted CAR archive file from an untrusted remote source. The problem arises because the length of data written is determined by an arbitrary number found within the file. **Recommendations** For SAP SAPCAR version 721.510, apply the fix as described in SAP Security Note 2441560.

**Name of the Vulnerable Software and Affected Versions** SAP Download Manager versions 2.1.142 and earlier **Description** The issue allows context-dependent attackers to obtain sensitive configuration information by leveraging knowledge of a hardcoded encryption key used to protect stored data. **Recommendations** For SAP Download Manager versions 2.1.142 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SAP SAPCAR (affected versions not specified) **Description** The issue allows remote attackers to cause a denial of service, resulting in a program crash, by including an invalid file name in an archive file. This occurs because SAP SAPCAR does not check the return value of file operations when extracting files. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SAP SAPCAR (affected versions not specified) **Description** The issue allows local users to change the permissions of arbitrary files and gain privileges via a hard link attack on files extracted from an archive. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SAP MaxDB versions 7.5 through 7.6 Netweaver Application Server ABAP (affected versions not specified) Netweaver Application Server Java (affected versions not specified) Netweaver RFC SDK (affected versions not specified) GUI (affected versions not specified) RFC SDK (affected versions not specified) SAPCAR archive tool (affected versions not specified) **Description** The issue is related to a stack-based buffer overflow in the LZC decompression implementation, specifically in the `CsObjectInt::CsDecomprLZC` function. This can be exploited by attackers to cause a denial of service or possibly execute arbitrary code. The exploitation vectors are not specified. **Recommendations** For SAP MaxDB versions 7.5 through 7.6, update to a version that includes the fix for the `CsObjectInt::CsDecomprLZC` function issue. For Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, and SAPCAR archive tool, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SAP MaxDB versions 7.5 through 7.6 Netweaver Application Server ABAP (affected versions not specified) Netweaver Application Server Java (affected versions not specified) Netweaver RFC SDK (affected versions not specified) GUI (affected versions not specified) RFC SDK (affected versions not specified) SAPCAR archive tool (affected versions not specified) **Description** The issue allows context-dependent attackers to cause a denial of service via unspecified vectors, related to look-ups of non-simple codes in the LZH decompression implementation, specifically in the CsObjectInt::BuildHufTree function. **Recommendations** For SAP MaxDB versions 7.5 through 7.6, update to a version that includes the fix for the CsObjectInt::BuildHufTree function issue. For Netweaver Application Server ABAP, apply the necessary patches or updates as specified in the relevant security notes. For Netweaver Application Server Java, apply the necessary patches or updates as specified in the relevant security notes. For Netweaver RFC SDK, apply the necessary patches or updates as specified in the relevant security notes. For GUI, apply the necessary patches or updates as specified in the relevant security notes. For RFC SDK, apply the necessary patches or updates as specified in the relevant security notes. For SAPCAR archive tool, apply the necessary patches or updates as specified in the relevant security notes. As a temporary workaround, consider restricting the use of the LZH decompression implementation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Sendio versions prior to 7.2.4 **Description** The issue is related to the Web interface not properly handling sessions. This allows remote authenticated users to obtain sensitive information from other users' sessions by making a large number of requests. **Recommendations** For versions prior to 7.2.4, update to version 7.2.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SAP Router versions prior to 721 patch 118 SAP Router versions prior to 720 patch 412 SAP Router versions prior to 710 patch 030 **Description** The issue allows remote attackers to obtain passwords via a brute-force attack that relies on timing differences in responses to incorrect password guesses, also known as a timing side-channel attack. This occurs because the `passwordCheck` function terminates validation of a Route Permission Table entry password upon encountering the first incorrect character. **Recommendations** For SAP Router version 721 patch 117 and earlier, update to version 721 patch 118 or later. For SAP Router version 720 patch 411 and earlier, update to version 720 patch 412 or later. For SAP Router version 710 patch 029 and earlier, update to version 710 patch 030 or later.