Palo Alto, CA - March 20, 2013 ERPScan researchers have helped SAP to significantly increase the security of SDM (Software Deployment Manager) tool. During a deep research, ERPScan team has reviewed SDM security for program vulnerabilities and architecture issues, including authentication process.
SDM is a part of SAP NetWeaver J2EE Engine and facilitates uploading new custom-developed software to the J2EE Engine. The security model of this tool was increased by patching software issues as well as architecture problems targeting client-server interaction. The solution was reviewed thoroughly by SAP Product Security Response Team in collaboration with ERPScan.
SAP released the security advisory and patch for those vulnerabilities in October 2012. This patch must be installed on both server and client side of SDM to be able to work properly.
We want to pay attention to this patch and strongly advise that all SAP users implement it if it was not implemented before because it closes 6 different issues, from Denial of Service to Authentication Bypass.