Professional Documents
Culture Documents
Symptom
An attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. This allows the
attacker to use the interface to invoke an application function to perform actions which they would not normally be permitted
to perform. Depending on the function executed, the attacker can read or modify any user/business data and can make the
entire system unavailable.
Other Terms
Command Injection, OS command injection, CVE-2024-22131
Solution
Implement Support Package or correction instructions.
The solution implements a secure-by-default configuration.
Therefore, you have to adjust the configuration if you in fact are using the remote capability of the component.
See related note 3415038 for details and recommendations on how to update the configuration.
Workaround
Please assess the workaround applicability for your SAP landscape prior to implementation.
Note that this workaround is a temporary fix and is not a permanent solution. SAP strongly recommends you apply the
corrections outlined in the security note, which can be done in lieu of the workaround or after the workaround is
implemented.
Review your settings regarding authorization object S_RFC and do not allow calls to function modules of CA-SUR remotely.
Keep in mind that this workaround would disable the remote capability of the component.
CVSS
CVSS Score : 9.1
CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
SAP provides this CVSS v3.0 base score as an estimate of the risk posed by the issue reported in this note. This estimate does
not take into account your own system configuration or operational environment. It is not intended to replace any risk
assessments you are advised to conduct when deciding on the applicability or priority of this SAP security note. For more
information, see the FAQ section at https://support.sap.com/securitynotes .
Software Components
Software Component From To And subsequent
Correction Instructions
Software Component Number of Correction Instructions
SAP_ABA 3
Prerequisites
Software Component From To SAP Note/KBA Title Component
SAP_ABA 700 710 1110803 SURVEY: BAdI for authorization check CA-SUR
SAP_ABA 700 711 1354949 Survey: Adding new questions to answered surveys CA-SUR
Support Package
Software Component Version Support Package
3415038