Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Becomes CVE Numbering Authority

Released this week with fixes for 11 vulnerabilities, SAP’s Security Patch Day for December 2017 marks a change in the history of SAP patches: it also includes CVE numbers in the titles of the security notes.

Released this week with fixes for 11 vulnerabilities, SAP’s Security Patch Day for December 2017 marks a change in the history of SAP patches: it also includes CVE numbers in the titles of the security notes.

The change is a result of SAP becoming a CVE Numbering Authority (CNA) and now being authorized to assign CVE’s to vulnerabilities in their products. The company has the goal of disclosing the CVE numbers of addressed vulnerabilities on its Security Patch day, in an effort to increase “transparency and facilitate faster patch consumption for all SAP customers.”

Of the security notes the company included in this month’s Security Patch day, one was Hot News, or Very High priority, featuring a CVSS score of 9.1. The flaw, an OS Command Injection vulnerability in Report for Terminology Export impacting SAP Netweaver Documentation and Translation tools, is an update to a security note released in November 2017.

The note, Onapsis says, is actually a re-released version, as it was initially published one year ago. At the time, SAP removed the affected lines of code, as they were obsolete. All the code that used to run when the report was executed in background was removed, but the original patch apparently failed to properly solve the issue.

In the re-release, SAP added a new step toward solving the bug. Thus, in addition to implementing the correction instructions referenced by the SAP note, impacted customers also need to follow the manual steps in the document Manual instructions for creating GUI status related to note 2357141.pdf, which is available on the SAP customer portal.

“Onapsis Research Labs has tested the component and discovered that the previous patch properly solves the bug. Despite securing the vulnerability, it introduced a little malfunction in the SAP software. Even though the relevant report is secure, after installing the patch the report interface then breaks in the SAP GUI by being unresponsive to interactions such as button clicks,” Onapsis explains.

The new instructions provide information on how to manually correct the issue to execute the report and also remain secure. According to Onapsis, there are no additional security concerns related to the re-released security note and those who have already applied the original patch are protected. Those who haven’t should apply the note as soon as possible, considering that it is Hot News.

The new set of SAP security patches also include three High priority notes. One addresses an Additional Authentication check in Trusted RFC on same system (CVE-2017-16689), another fixes a Missing Authentication check in SAP BI Promotion Management Application (CVE-2017-16684), while the third updates an August 2014 patch note: SBOP solution for Apache Struts1.x vulnerability (CVE-2014-0094).

Advertisement. Scroll to continue reading.

The rest of the flaws addressed this month were Medium priority. The most important of them include a Cross-Site Scripting (XSS) vulnerability in SAP BW Universal Data Integration (CVE-2017-16685), Server-Site Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service (CVE-2017-16678), Denial of service (DOS) in SAP BusinessObjects Platform (CVE-2017-16683), and an XSS vulnerability in BI Promotion Management Application (CVE-2017-16681).

The 11 security notes released as part of the December 2017 Security Patch day are accompanied by 4 updates to previously released notes and 4 support package notes, for a total of 19 security notes, ERPScan reveals. 6 of the notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

Implementation flaw was the most common type of vulnerability addressed this month (5 flaws), followed by XSS (2 bugs), Information Disclosure (2), Missing Authorization Check (2), Denial of Service (2), OS command execution (2), Remote Command Execution (1), Open Redirect (1), SSRF (1), and Log injection (1).

The Log injection vulnerability (CVE-2017-16687) impacts SAP HANA XS classic user self-service and features a CVSS Base Score of 5.3. By exploiting the flaw, an attacker could inject arbitrary data in the audit log. By flooding it with a large amount of illegal data, the audit log can no longer be easily analyzed. The operation could also result in a rapid depletion of disk space and in damage to the event log.

Related: SAP Patches Critical Issues With November 2017 Security Updates

Related: SAP Patches Critical Code Injection Flaw in TREX

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Former Barclay’s CISO Oliver Newbury has joined ransomware protection firm Halcyon as a strategic advisor

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.