SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 2660005
was released on
14.08.2018 and deals with
"[CVE-2018-2450] SQL Injection Vulnerability in SAP MaxDB/liveCache" within SAP MaxDB.
We advice you to follow the instructions, to resolve
sql injection (read/write)
high potential for exploitation
in component BC-DB-SDB.
According to SAP Security Advisory team a workaround does not exist. It is advisable to implement the correction as part of maintenance.
Risk specificationSAP MaxDB/liveCache allows an authentiacted DBM operator user to read, modify or delete sensitive data from the application schema in the database through SQL injection.
The implicit priviledges of the DBM operator user which allowed him to access the application schemas have been reduced to prohibit this in the future. The change is not done via configuration but MaxDB patch.
The advisory is valid for
- nan 12