SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse
SAP Business Planning and Consolidation and SAP Business Warehouse
This is your only weekend task. CVSS 9.9 with a low-privilege exploit path and direct database access is as bad as it gets in SAP land. If you run BPC or BW, this goes to production before Monday. The workaround (revoking S_GUI Activity 60) has collateral damage — patch properly.
Vulnerability Detail
A low-privileged authenticated user can upload a file containing arbitrary SQL statements that are then executed against the database. Full read, modify, and delete access to database content is possible. Manipulated planning figures, broken reports, and deleted consolidation data can result.
Workaround
Revoke the S_GUI authorization object with Activity 60 (Upload) from user accounts. Note: this may cause side effects in other applications — patching is strongly preferred.
Patch Action
Apply SAP Note 3719353. Patch deactivates all executable code within the affected program.
Affected Versions
Patch Info