SAP this week released seven new security notes as part of the October 2019 Security Patch Day, with two of these notes rated Hot News (Critical).
This month’s set of patches also includes two security notes released after the second Tuesday of last month but before this Tuesday, along with one update for a previously released patch, totalling 10 security notes.
The most important of these notes addresses a missing authentication check in the AS2 adapter of the B2B add-on for SAP NetWeaver Process Integration. Tracked as CVE-2019-0379, the vulnerability features a CVSS score of 9.3.
Successful exploitation of this bug could lead to the theft of sensitive data or to data manipulation, or it could provide attackers with access to administrative and other privileged functionality. The issue can be exploited remotely, explains Onapsis, a firm specialized in securing Oracle and SAP products.
The second Hot News note patches an information disclosure vulnerability in SAP Landscape Management enterprise edition, version 3.0. The security flaw is tracked as CVE-2019-0380 and has a CVSS score of 9.1.
The issue, Onapsis says, is related to the custom parameters that a user can add to providers (which contain information about the scripts and other properties) assigned to custom operations. Under certain, “uncommon” conditions these providers create the risk of information disclosure, SAP says.
This month, SAP also released a High priority security note addressing a binary planting vulnerability in SAP SQL Anywhere, SAP IQ and SAP Dynamic Tiering. Tracked as CVE-2019-0381 and featuring a CVSS score of 7.8 due to the fact that access to the local system is required for exploitation, the issue resides in the file search algorithm of the affected products.
“The algorithm searches too many directories, even if they are out of the application scope. Possible impacts are path traversals and directory climbing, enabling an attacker to read, overwrite, delete, and expose arbitrary files of the system. This can also lead to DLL hijacking as well as to privilege elevation,” Onapsis explains.
SAP addressed multiple Cross-Site Scripting (XSS) vulnerabilities in its products this month, including one in Customer Relationship Management (CVE-2019-0368), and multiple bugs in the SAP BusinessObjects Business Intelligence Platform (CVE-2019-0374, CVE-2019-0375, CVE-2019-0376, CVE-2019-0377, and CVE-2019-0378), all rated Medium priority.
Additionally, the German software maker addressed multiple flaws in SAP Financial Consolidation (CVE-2019-0370 and CVE-2019-0369), and a missing authorization check in the B2B Content Manager of the B2B add-on for SAP NetWeaver Process Integration (CVE-2019-0367).
The company released an update for a security note released in September, which patches a denial-of-service (DoS) issue in SAP Kernel (RFC), SAP GUI for Windows and SAP GUI for Java (CVE-2019-0365).