A note with CVSS 6.0 for component SV-SMG-DIA-SRV-AGT was released by SAP on 13.12.2022. The correction/advisory 3265173 was described with "[CVE-2022-41261] Improper Access Control in SAP Solution Manager (Diagnostic Agent)" and affects the system type Java.
A workaround exists, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is information disclosure within Java.
Information disclosure is when an application fails to properly protect sensitive and confidential information from
parties that are not supposed to have access to the subject matter in normal circumstances.
Carefully review every information disclosure vulnerablity in regards to disclosure obligations post-GDPR for ‘Personal data’ under the Data Protection Act 2018.
Risk specificationSAP Solution Manager allows an authenticated attacker on the Windows server to access a files containing sensitive data from the filesystem. These files may contain configuration or credentials.
The group and individual user access are removed for the secured files and folder. Only the user who is running the agent will have full access to these secured files and folders. Although an alternative solution exists, it is advisable to apply the correction! This is the workaround, which was suggested by the SAP security experts: "As manual workaround, you can fix the windows file permission manually as described in the note".
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- 9.9 [CVE-2023-40622] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management)
- 9.8 [CVE-2023-28765] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management )
- 9.1 [CVE-2023-28762] Information Disclosure in SAP BusinessObjects Business Intelligence Platform (Central Management Console)
- 9.0 [CVE-2020-6252] Information Disclosure in SAP Adaptive Server Enterprise (Cockpit)
- 8.9 Information Disclosure in Central Order