Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

SAP Patches Flaws in xMII, Other Products

The February 2016 Patch Day Security Notes released by enterprise software maker SAP on Tuesday address vulnerabilities in several of the company’s products.

The February 2016 Patch Day Security Notes released by enterprise software maker SAP on Tuesday address vulnerabilities in several of the company’s products.

The patches released this week address 16 issues, including 13 that have been rated “high severity.” SAP security experts at ERPScan pointed out that the vendor also released two Support Package Notes, and five additional patches have been made available over the past month since the release of the January 2016 updates.

The most common types of flaws patched this month are cross-site scripting (XSS), missing authorization check, and implementation flaws.

Four of the security holes fixed this month were reported to SAP by ERPScan, including a directory traversal in SAP xMII (Manufacturing Integration and Intelligence), a solution designed to connect an organization’s business operations to systems on the plant floor. The flaw can be exploited by an attacker to access potentially sensitive information stored on the SAP server filesystem.

This SAP product plays an important role in the operations of manufacturing, energy, oil and gas, and utility companies. Vulnerabilities in xMII can be leveraged in the first phase of a multi-stage attack whose goal is to give malicious actors control over plant devices and manufacturing systems, experts warned.

At the Black Hat Europe conference last year, ERPScan researchers showed how attackers can target companies in the oil and gas sector using vulnerabilities in SAP xMII and other business applications that bridge operational and information technology networks.

ERPScan also reported three other new flaws that have been patched by SAP, including a SQL injection in SAP Universal Description, Discovery and Integration (UDDI), an information disclosure issue in SAP Universal Worklist Configuration, and an XSS in SAP Java Proxy Runtime.

A blog post published by ERPScan on Tuesday also describes three other newly patched vulnerabilities that the security firm has classified as “critical.” One of them, with a CVSS score of 7.5, is an OS command execution flaw in SAP’s TREX search technology.

Advertisement. Scroll to continue reading.

Another serious weakness can be exploited for denial-of-service (DoS) attacks. The flaw, found in the SAPSSOEXT library, can be exploited by an attacker to terminate a service, which could lead to system downtime and disruption of the business process.

ERPScan has also advised SAP customers to quickly apply the patch for an XSS vulnerability in HANA Extended Application Services SAPUI5.

Related: SAP Security Updates Patch 4 New Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture