Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches Critical Vulnerability in NetWeaver

Four of the Security Notes published by SAP as part of the September 2019 Security Patch Day are rated Hot News, the same as last month.

Four of the Security Notes published by SAP as part of the September 2019 Security Patch Day are rated Hot News, the same as last month.

Of the four Security Notes, only one is newly released. It addresses CVE-2019-0355 (CVSS score of 9.1), a code injection vulnerability in SAP NetWeaver AS for Java (Web Container).

The issue resides in the SAP default implementation of the HTTP PUT method and allows attackers to bypass the input validation check. Thus, an attacker could upload dynamic web content and can take control of the application, Onapsis, a firm specialized in securing Oracle and SAP products, explains.

An attacker able to successfully exploit the vulnerability could execute commands without authorization, access sensitive information on the system, and cause a denial of service (DoS) condition.

Two of the remaining Hot News notes are updates to previously released patches addressing an OS command injection vulnerability in SAP Diagnostics Agent (CVE-2019-0330) – one of the Security Notes is an update to the other, which in itself is an update to a July 2019 Security Note.

“A SolMan admin can abuse the Diagnostic Agent (SMDAgent) bug and gain access to any SAP system connected to the SolMan system. Even though many SolMan admins have admin privileges in other SAP systems, certain scenarios may allow an escalation of privileges to those who don’t,” Onapsis says.

The fourth Hot News note released this month is an update to a patch released in April 2018, which addresses issues with the browser control Google Chromium delivered with SAP Business Client.

This month, SAP also addressed High severity security flaws in SAP HANA Extended Application Services (Advanced Model). Tracked as CVE-2019-0363 and CVE-2019-0364, the bugs could allow an authenticated attacker to cause a DoS condition.

Advertisement. Scroll to continue reading.

Seven of the Security Notes released as part of the September 2019 Security Patch Day are rated Medium severity, including a privilege escalation in the SAP HANA database, Cross-Site Scripting (XSS) in Supplier Relationship Management, and multiple flaws in Business One.

Other Medium risk bugs include a DoS in Kernel (RFC), GUI for Windows and GUI for Java, improper session management in Business Objects Business Intelligence Platform (CMC), information disclosure in XI Runtime Workbench of NetWeaver Process Integration, and an update to an August 2018 Note addressing a Server Side Request Forgery (SSRF) in BusinessObjects.

Additionally, SAP addressed a Low severity information disclosure bug in the SAP Business One client (CVE-2019-0353).

In addition to the notes published as part of the September 2019 Patch Day, SAP also released a series of patches after the second Tuesday of last month and before the second Tuesday of this month.

“With 16 new or updated Security Notes released today, the number of published Security Notes is lower than in August. However, some of them include multiple fixes or important updates and extensions to already published notes and thus reminding us that patching is and will remain a continuous major task for every SAP customer,” Onapsis notes.

Related: SAP Patches Highest Number of Critical Flaws Since 2014

Related: SAP Patches Critical Flaw in Diagnostics Agent

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.