Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerability in Business Client

SAP today released its September 2018 set of patches to address a total of 14 vulnerabilities in its products, including a critical bug in SAP Business Client.

SAP today released its September 2018 set of patches to address a total of 14 vulnerabilities in its products, including a critical bug in SAP Business Client.

Featuring a CVSS score of 9.8 and rated Hot News, the vulnerability impacts the browser control Chromium delivered with SAP Business Client. The issue was initially addressed on April 2018 Patch Day, but SAP decided to update the Security Note today.

Of the remaining 13 Security Notes included in this month’s Security Patch Day, three were rated High severity, 9 Medium risk, and 1 Low severity. 

Impacted SAP products include Business One, BEx Web Java Runtime Export Web Service, HANA, WebDynpro, NetWeaver AS Java, Hybris Commerce, Plant Connectivity, Adaptive Server Enterprise, HCM Fiori “People Profile” (GBX01HR), Mobile Platform, Enterprise Financial Services, and Business One Android application. 

SAP also released 8 Support Package Notes this month, for a total of 22 Security Notes, ERPScan, a company that specializes in securing Oracle and SAP products, reveals. 4 of the notes were released over the course of the last month. 

Missing Authorization Check was the most encountered type of vulnerability, followed by information disclosure, Cross-Site Scripting, and XML External Entity issues. SAP also addressed implementation flaws, denial of service, SQL injection, buffer overflow, and server side request forgery vulnerabilities. 

The most important bugs closed in September (all featuring a CVSS Base Score of 8.8) include a Missing Authorization check vulnerability in SAP ECC Sales Support, an Information Disclosure vulnerability in Business One and HANA Installer, and a Missing XML Validation (XXE) vulnerability in BEx Web Java Runtime Export Web Service.

Another important bug was a denial of service vulnerability in SAP HANA, Extended Application Services Classic Model. Tracked as CVE-2018-2465, the flaw has a CVSS score of 7.5 and is considered High risk.

Advertisement. Scroll to continue reading.

Discovered by Onapsis researchers, the flaw can be exploited by a remote, unauthenticated attacker through a large crafted request to a default API or to ODATA services present in a HANA XS system abusing the XML parsing, the company says.

“Even though a Denial Of Service attack is the easiest way to exploit this vulnerability, a more complex attack could lead to a potential remote code execution (RCE), that could lead to even worse scenarios for the affected users,” Sebastian Bortnik, Director Of Research for Onapsis, told SecurityWeek in an emailed comment.

A Cross-Site Scripting issue in NetWeaver AS Java Logon Application (versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50) can lead to defacements, user credentials compromises, or user impersonation, Onapsis, which also focuses on securing Oracle and SAP applications, explains. 

Related: SAP Releases August 2018 Security Updates

Related: SAP Releases Critical Updates for Two Security Notes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights