SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 2827086
was released on
09.11.2021 and deals with
"Several security vulnerabilities in FRP 5.4.0 and FR Engine 5.4.0" within SAP FRP.
We advice you to follow the instructions, to resolve
denial of service (dos)
high potential for exploitation
in component IS-R-FRO.
According to SAP Security Advisory team a workaround does not exist. It is advisable to implement the correction as part of maintenance.
Risk specificationSAP Forecasting and Replenishment Processor and the FR Engine allow an authenticated attacker to misuse logical errors in memory management to cause memory corruption. Additionally, the attacker may leverage insufficient validation of XML Documents resulting in excessive consumption of resources or unavailability of the service.
SAP Forecasting and Replenishment has been updated to prevent excessive consuming of the resources.
The advisory is valid for
- FRP 5.4.0
- FR_PROC 540