This vulnerability affects all SAP® ABAP servers that use the below mentioned components. It can be exploited over the network and allows an authenticated attacker to inject code into a standard ABAP application to control the behavior of the vulnerable component and thereby the entire SAP® Application Server ABAP.
The impact is of highest criticality as the vulnerability itself enables e.g.:
- Unauthorized execution of arbitrary commands
- Disclosure of sensitive information
- Denial of Service (DoS) attacks
Considering the impact, we advice all customers to implement note 2835979 as soon as possible.
As part of the SEC Consult responsible disclosure process this vulnerability was reported to SAP® by SEC Consult’s researchers (Alexander Meier and Fabian Hagg) immediately after discovery on 20th April 2020. Further detailed information will be published three months after patch release in accordance with SAP’s responsible disclosure guidelines.
We want to express our thanks to the folks at SAP®, especially the SAP® Product Security Response Team. They reacted fast for every inquiry and released a timely patch on the 12th May 2020.