Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches 22 Vulnerabilities With February 2017 Security Updates

SAP on Tuesday announced the release of its February 2017 security updates, which includes 15 Patch Day Security Notes and 3 updates to previously released Patch Day Security Notes.

SAP on Tuesday announced the release of its February 2017 security updates, which includes 15 Patch Day Security Notes and 3 updates to previously released Patch Day Security Notes.

Only High risk and Medium severity vulnerabilities were addressed this month, with the highest CVSS score of the vulnerabilities being 8.5. Multiple patches were released for SAP’s HANA database management system.

According to ERPScan, a company specialized in securing SAP and Oracle products, SAP’s February 2017 Security Patch Day also saw the release of 7 Support Package Notes, for a total of 22 patches across products. 7 of the patches were rated High risk, while the remaining 15 were assessed as Medium severity.

The most common vulnerability type addressed this month is Missing Authorization check (5 patches), followed by Cross-Site Scripting (4 patches), denial of service (3 patches), and XML external entity (2 patches). The remaining 8 flaws include: directory transversal, implementation flaw, privilege escalation, buffer overflow, ABAP code injection, cross-site request forgery, clickjacking, and multiple issues.

The most important issues addressed this month include a Missing Authorization Check vulnerability (CVSS Base Score: 8.5) in SAP Netweaver Data Orchestration (which could allow an attacker to access the service without authorization and use service functionality that has restricted access), along with an Implementation flaw vulnerability (CVSS Base Score: 8.2) in SAP GRC Access Control EAM (which can cause unpredictable behavior of a system, troubles with stability and safety).

Additionally, SAP patched a Memory Corruption vulnerability (CVSS Base Score: 8) in SAP 3D Visual Enterprise Author, Generator and Viewer, which could allow an attacker to  inject a specially crafted code into a working memory which will be executed by the vulnerable application (the executed commands run with the same privileges as the service that executed the command).

Three of the issues were disclosed by ERPScan researchers, including multiple vulnerabilities in SAP HANA (CVSS Base Score: 8.3) – namely a denial of service that could allow an attacker to crush a process of a vulnerable component, and an Implementation Flaw (insecure default user creation policy) in third-party repository server Sinopia –, and an XML external entity vulnerability in SAP Visual Composer VC70RUNTIME (CVSS Base Score: 6.5).

The vulnerabilities in SAP HANA can be exploited together, ERPScan says: “The first vulnerability allows an attacker to create a new user over the Internet without authentication. After that, an adversary can create a new repository. If a package name contains special characters, the server will crash. As a result of the attack, the project would be unavailable meaning a stoppage of developing processes. Moreover, the vendor’s advisory states that other SAP HANA XS components also could be potentially impacted.”

Advertisement. Scroll to continue reading.

In related news, Microsoft announced on Tuesday that a last minute issue forced the company to delay the release of its security updates for February 2017. It’s unclear when the patches will be made available.

Related: SAP Patches Multiple XSS and Missing Authorization Vulnerabilities

Related: SAP Resolves Multiple Information Disclosure Flaws

Related: In Review: SAP’s 3,660 Security and Support Notes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.