SAP this week released a series of security updates for its products that address a total of 28 vulnerabilities.
Of the 28 vulnerabilities included in the SAP Security Patch Day for March 2016, 14 are new patches, while four are updates to previously released fixes. Ten are Support Package Notes, the enterprise software company says.
SAP also revealed that it made a change in security note prioritization, which is now based on the Common Vulnerability Scoring System v3.0 (CVSS v3).
Three of the closed SAP Security Notes in the new round of updates have a high priority rating. The highest CVSS score of the vulnerabilities is 9.0 and most of these vulnerabilities belong to the SAP JAVA applications security, says ERPScan, a company that specializes in securing SAP and Oracle business-critical software.
The most common vulnerability type in the new Security Notes is Cross-Site Scripting and Information disclosure (6 each), followed by missing authorization check (5), XML external entity (3), implementation flaws (2), and OS command execution, directory traversal, and denial of service (1 each).
With a CVSS Base Score of 9.0, the OS command execution vulnerability in SAP SCTC_* Function modules was considered the most important Critical flaw patched by SAP this month. Next in line are an Implementation flaw vulnerability in SAP SDCC Download Function Module (CVSS Base Score: 8.5), an XML external entity vulnerability in SAP Configuration Wizard (CVSS Base Score: 6.4), and an XML external entity vulnerability in SAP RTMF (CVSS Base Score: 6.3).
The OS command execution vulnerability could be exploited by an attacker to execute operating system commands without authorization. The attacker could also access arbitrary files and directories located in an SAP server filesystem and could obtain critical technical and business-related information stored in the vulnerable SAP system.
The Implementation flaw vulnerability could result in unpredictable behavior of a system, troubles with stability and safety, ERPScan researchers reveal. The XML external entity vulnerability in SAP RTMF could allow an attacker to get unauthorized access to OS filesystem by sending specially crafted unauthorized XML requests that are processed by an XML parser.
ERPScan researchers discovered five of the vulnerabilities closed in the March SAP Security Notes, namely the XML external entity vulnerability in SAP Configuration Wizard, a Cross-site scripting vulnerability in SAP NavigationURLTester (CVSS Base Score: 6.1) and one in SAP User Interface/Navigation (CVSS Base Score: 6.1), a Directory traversal vulnerability in SAP Java Monitoring (CVSS Base Score: 5.8), and an Information disclosure vulnerability in SAP Real Time Collaboration Chat (CVSS Base Score: 4.3).
By exploiting these flaws, an attacker could gain unauthorized access to the OS filesystem, could inject a malicious script into a page, or access information (system data, debugging information, etc) that will help him to learn about a system and to plan other attacks. The attacker could also access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and system files.
SAP customers are advised to patch all of the aforementioned vulnerabilities by installing the new set of SAP Security Notes. Additional details on the SAP Security Notes are available on the SAP Support Portal.
Last month, SAP patched 16 security flaws in its products, including 13 that have been rated “high severity,” with cross-site scripting (XSS), missing authorization check, and implementation flaws being the most common issues. In January, SAP patched 4 new vulnerabilities, although the company addressed 23 vulnerabilities in its products with that month’s set of patches.
