Remote Code Execution in SAP Change and Transport System Attach Tool
SAP Change and Transport System Attach Tool (ctsattach)
RCE in a transport system component is a meaningful risk — the CTS is the mechanism that promotes changes through your landscape, so a compromised ctsattach tool could be used to introduce malicious transports. Restrict network access immediately and patch within two weeks.
Vulnerability Detail
An insecure deserialization vulnerability in the SAP Change and Transport System Attach Tool (ctsattach) allows an attacker with network access to the tool to send a maliciously crafted payload that triggers remote code execution on the server hosting ctsattach. The CTS Attach Tool is used for attaching external systems to the SAP Change and Transport System.
Workaround
Restrict network access to the ctsattach tool to trusted CTS infrastructure only. The tool should not be reachable from general user networks.
Patch Action
Apply SAP Note 3773304.
Affected Versions
Patch Info