The new vulnerability that SAP has posted about for SAP Business One is called code injection vulnerability.
Currently, users can upload just about any file type as an attachment to items such as Sales Orders in SAP Business One. This includes executable files such as exe, bat, rpt and more. It has been determined that this could be a security risk as those files can be malicious or infected with a virus, without the user even knowing it. Attaching and opening these possibly infected files may begin infecting more users in the same network.
What is the Solution?
First of all, users MUST be currently running SAP Business One 10.0 FP2202 – this is the first patch that has included features to protect users from this code injection vulnerability.
You can find these patches at the SAP ONE Support Launchpad.
In this patch, SAP has enhanced the attachments upload tool with the ability to refuse to upload certain types of files, preventing dangerous files from spreading to other users or running in the system.
What file types are blocked?
The file types that are blocked are based on the Microsoft Outlook block list. You can view the block list here.
Can I edit the file block list?
Yes! Either an SAP Business Manager or Super User will have the ability to edit this block list.
To do this inside SAP Business One, navigate to the Administration section of your Menu. Select System Initialization and then General Settings. This will bring up the General Settings pop-up as shown below.
Inside the General Settings pop-up, click on the tab labelled Path. In here, you will see a line that says Block Executable Attachments. To view the current block list, and add or delete file types, click on the Elipses (…) next to this line – this will bring up a new pop-up showing the Block List Selection.
If you are a Super User, you can make changes to this list here.
Join the SAP Business One Community for more free and easy to understand resources to help you make the most out of your SAP Business One!