SAP today released its November 2017 set of patches to address 22 vulnerabilities across its product portfolio, including three issues rated Very High priority (Hot News).
The enterprise software maker included 13 patches in this month’s SAP Security Patch Day, to which 9 patches that are updates to previously released security notes are added.
Three of the security notes address vulnerabilities considered Hot News, one patches a High severity issue, while the remaining 18 security notes address Moderate risk bugs. The highest CVSS score of the patches is 9.1.
This is the first SAP Security Patch Day to include Hot News security notes after one of the April 2017 security patches addressed a Very High priority vulnerability in TREX / BWA that could allow an attacker to execute commands on the affected system.
All three Hot News security notes were updates to previously released notes. One of them was patched in September 2016 and is a code injection vulnerability in Text Conversion. Onapsis, a company that specializes in security SAP and Oracle applications and which reported the vulnerability, explains that SAP updated the security note with some additional correction instructions.
The other two flaws were both resolved in September 2017 and represent an information disclosure in SAP Landscape Management (LaMa) 3.0 and an information disclosure in LVM 2.1 and LaMa 3.0. Both bugs result in an attacker being able to access relevant data under certain conditions, Onapsis says.
According to ERPScan, another company that specializes in the security of SAP and Oracle software, 10 Support Package Notes should be added to the aforementioned 22 security notes, for a total of 32 patches (3 Hot News, 2 High, 26 Medium, and 1 Low).
13 of all the patches are updates to previously released notes and 15 of the notes were released after last month’s Security Patch Day but before today, ERPScan says.
SAP resolved 6 implementation flaws this month, 5 XSS bugs, 5 Information disclosure issues, 5 missing authorization checks, 3 XML external entity flaws, 2 directory traversal bugs, a local command execution, an OS command execution, a XSFR, a clickjacking bug, a privilege escalation flaw, and a log injection issue.
Some of the most dangerous vulnerabilities addressed this month include an implementation flaw (CVSS Base Score: 8) in SAP Management Console, a Cross-Site Scripting (XSS) vulnerability (CVSS Base Score: 6.1) in SAP SAPUI5, and a Cross-Site Scripting (XSS) vulnerability (CVSS Base Score: 6.1) in SAP BusinessObjects Analysis Edition for OLAP.
SAP also resolved a couple of issues impacting SAP Hana, namely an information disclosure vulnerability in SAP HANA Extended Application Services (XS Advanced) and an information disclosure in SAP NetWeaver Instance Agent Service.