Security Experts:

SAP Releases 18 Security Notes in June 2017 Patch Day

SAP this week released its June 2017 set of security patches to address various bugs across its products, including a denial of service vulnerability that potentially impacts over 3,400 services exposed to the Internet.

SAP included 18 security notes in its latest SAP Security Patch Day. Updates to previously released notes and 11 security notes being released after the second Tuesday of the previous month and before the second Tuesday of this month make for a total of 29 security notes being part of the June Patch Day (21 SAP Security Patch Day Notes and 8 Support Package Notes).

Five of the release notes had a High priority rating with two of the vulnerabilities featuring a CVSS score of 7.5. 23 of the issues had a Medium risk rating, and one was considered Low severity, ERPScan, a company that specializes in securing SAP and Oracle products, points out.

The most common vulnerability type addressed this month is Cross-Site Scripting (XSS), at 8 bugs, followed by denial of service (DoS) and information disclosure at 4, XML external entity at 3, missing authorization checks at 2, and cross-site request forgery, SQL injection, authentication bypass, and open redirect at 1 each.

The most important of the addressed issues were DoS bugs in SAP NetWeaver Instance Agent Service, and in BILaunchPad and Central Management Console, featuring a CVSS base score of 7.5 each. By terminating the process of the vulnerable component, an attacker could prevent access to the service.

“One of two Notes assessed at High priority is a DoS vulnerability in SAP Host Agent Service identified by our researchers. The vulnerability is remotely exploitable without authentication. We have also conducted a custom scanning that revealed that there are about 3,400 potentially vulnerable such services available online,” ERPScan’s Darya Maenkova told SecurityWeek in an email.

The issue, ERPScan says, was reported to SAP in November 2016, and could cause response delays and service interruptions, with direct impact on availability. Most of the vulnerable services exposed to the Internet are located in the United States (780), India (691), China (216), Korea (126), and Mexico (114).

Other High priority flaws that SAP addressed this month include a Cross-Site Scripting vulnerability (CVSS Base Score: 7.1) in SAP BusinessObjects Web Intelligence HTML interface and a Missing certificate verification vulnerability (CVSS Base Score: 7) in SAP CommonCryptoLib (a bug related to HTTPS certificates validation).

Another High risk security note is an update to a note released in March 2017: Improved security for outgoing HTTPS connections in SAP NetWeaver (CVSS Base Score: 7.4). As Onapsis explains, this note “includes more information on how to properly configure HTTPS connections securely.”

Related: SAP Patches 17 Vulnerabilities With May 2017 Security Update

Related: SAP Patches Critical Code Injection Flaw in TREX

Related: SAP Vulnerability Exposes Enterprises to Ransomware, Other Attacks

view counter