Security Experts:

Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerability in NetWeaver

Four of the Security Notes published by SAP as part of the September 2019 Security Patch Day are rated Hot News, the same as last month.

Four of the Security Notes published by SAP as part of the September 2019 Security Patch Day are rated Hot News, the same as last month.

Of the four Security Notes, only one is newly released. It addresses CVE-2019-0355 (CVSS score of 9.1), a code injection vulnerability in SAP NetWeaver AS for Java (Web Container).

The issue resides in the SAP default implementation of the HTTP PUT method and allows attackers to bypass the input validation check. Thus, an attacker could upload dynamic web content and can take control of the application, Onapsis, a firm specialized in securing Oracle and SAP products, explains.

An attacker able to successfully exploit the vulnerability could execute commands without authorization, access sensitive information on the system, and cause a denial of service (DoS) condition.

Two of the remaining Hot News notes are updates to previously released patches addressing an OS command injection vulnerability in SAP Diagnostics Agent (CVE-2019-0330) – one of the Security Notes is an update to the other, which in itself is an update to a July 2019 Security Note.

“A SolMan admin can abuse the Diagnostic Agent (SMDAgent) bug and gain access to any SAP system connected to the SolMan system. Even though many SolMan admins have admin privileges in other SAP systems, certain scenarios may allow an escalation of privileges to those who don’t,” Onapsis says.

The fourth Hot News note released this month is an update to a patch released in April 2018, which addresses issues with the browser control Google Chromium delivered with SAP Business Client.

This month, SAP also addressed High severity security flaws in SAP HANA Extended Application Services (Advanced Model). Tracked as CVE-2019-0363 and CVE-2019-0364, the bugs could allow an authenticated attacker to cause a DoS condition.

Seven of the Security Notes released as part of the September 2019 Security Patch Day are rated Medium severity, including a privilege escalation in the SAP HANA database, Cross-Site Scripting (XSS) in Supplier Relationship Management, and multiple flaws in Business One.

Other Medium risk bugs include a DoS in Kernel (RFC), GUI for Windows and GUI for Java, improper session management in Business Objects Business Intelligence Platform (CMC), information disclosure in XI Runtime Workbench of NetWeaver Process Integration, and an update to an August 2018 Note addressing a Server Side Request Forgery (SSRF) in BusinessObjects.

Additionally, SAP addressed a Low severity information disclosure bug in the SAP Business One client (CVE-2019-0353).

In addition to the notes published as part of the September 2019 Patch Day, SAP also released a series of patches after the second Tuesday of last month and before the second Tuesday of this month.

“With 16 new or updated Security Notes released today, the number of published Security Notes is lower than in August. However, some of them include multiple fixes or important updates and extensions to already published notes and thus reminding us that patching is and will remain a continuous major task for every SAP customer,” Onapsis notes.

Related: SAP Patches Highest Number of Critical Flaws Since 2014

Related: SAP Patches Critical Flaw in Diagnostics Agent

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.