CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerabilities in Enterprise Products

SAP on Tuesday issued a new round of monthly security updates for its products, patching a total of 10 vulnerabilities, including critical flaws in ASE XPServer, Crystal Reports for Enterprise, and Predictive Analytics.

SAP on Tuesday issued a new round of monthly security updates for its products, patching a total of 10 vulnerabilities, including critical flaws in ASE XPServer, Crystal Reports for Enterprise, and Predictive Analytics.

The vulnerability in ASE XPServer was rated “hot news”, featuring a CVSS Base Score of 9, while the other two were rated high risk, each with a CVSS Base Score of 7.3. Six of the remaining vulnerabilities were rated medium risk, while the last one was low risk, SAP revealed.

According to SAP, two of the resolved issues were missing authorization check bugs, two were information disclosure flaws, one Cross-Site Scripting (XSS) vulnerability, and one clickjacking issue. Additionally, the company resolved a missing authentication bug, along with three other security flaws in its products.

In addition to the 10 SAP Security Patch Day Notes included in the new security updates, SAP also released 11 Support Package Notes, one high risk, ERPScan, a company specialized in securing SAP and Oracle business-critical software, explains. The company also says that 10 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

This month, SAP resolved mainly vulnerabilities in in the SAP NetWevwer ABAP platform (43 percent), which is used as a backend platform by most of the common business applications, including ERP, CRM, SRM, and PLM. Java was the second most affected platform, with 14 percent of flaws, ERPScan reveals.

The most important of the newly patched vulnerabilities was a missing authorization check vulnerability in ASE XPServer. An attacker leveraging the vulnerability could access the service without authorization and use its functionality that has restricted access, which could lead to information disclosure, privilege escalation, and other attacks.

The two high risk vulnerabilities patched by SAP this month include a Remote command execution bug in SAP Crystal Reports for Enterprise and another in SAP Predictive Analytics. An attacker exploiting these flaws could execute commands remotely without authorization, while having these commands running with the same privileges as the service that executed them.

The vulnerabilities would allow an attacker to access arbitrary files and directories located in an SAP server filesystem, such as application source code, configuration, and critical system files. Moreover, an attacker could obtain critical technical and business-related information stored in the vulnerable SAP system.

Advertisement. Scroll to continue reading.

SAP also patched 2 critical vulnerabilities identified by ERPScan’s researchers Alexey Tyurin and Vahagn Vardanyan. According to the ERPScan, these include hard-coded credentials vulnerabilities, which represent one of the most important but underestimated issues in SAP Security.

The researchers discovered a hard-coded credentials vulnerability in SAP Code Page Conversion Tool, which could allow an attacker to gain unauthorized access and perform actions in the system. They also found a hard-coded credentials vulnerability in SAPHybris E-commerce Suite VirtualJDBC Default Credential, which was fixed without security note.

“Hard-coded information of different types (system names, usernames, passwords, and so on) occurs often in SAP systems. It can be in ABAP code written by SAP developers, internal company’s team or third-party developers. According to our statistics, we identified at least one vulnerability of this type in the ABAP code in 90% of companies during our Vulnerability Assessment projects and other professional services. This vulnerability is quite dangerous because it allows an attacker to control the program and to perform a particular function depending on predefined parameters,” Vahagn Vardanyan, Senior Consultant, Code Security Team, Offensive Services department at ERPScan, said.

In addition to SAP, Adobe and Microsoft released software updates on Tuesday to address several security issues. As part of its Patch Tuesday update for May, Microsoft released 16 security bulletins to patch more than 30 vulnerabilities, including JScript and VBScript zero-days exploited in attacks targeting users in South Korea. Adobe informed customers on Tuesday that it’s working on fixing a serious Flash flaw that has been exploited in the wild. Judging by Microsoft’s advisory, the update prepared by Adobe will patch not only the zero-day, but two dozen other Flash vulnerabilities as well.

Last month, SAP patched 10 high priority vulnerabilities in its products, including five XSS issues and four denial of service (DoS) vulnerabilities. In March, the company addressed a total of 28 vulnerabilities, including 6 XSS bugs, 6 Information disclosure issues, and 5 missing authorization check flaws.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.