SAP Patches Critical Vulnerability in NetWeaver

Four of the Security Notes published by SAP as part of the September 2019 Security Patch Day are rated Hot News, the same as last month.

Of the four Security Notes, only one is newly released. It addresses CVE-2019-0355 (CVSS score of 9.1), a code injection vulnerability in SAP NetWeaver AS for Java (Web Container).

The issue resides in the SAP default implementation of the HTTP PUT method and allows attackers to bypass the input validation check. Thus, an attacker could upload dynamic web content and can take control of the application, Onapsis, a firm specialized in securing Oracle and SAP products, explains.

An attacker able to successfully exploit the vulnerability could execute commands without authorization, access sensitive information on the system, and cause a denial of service (DoS) condition.

Two of the remaining Hot News notes are updates to previously released patches addressing an OS command injection vulnerability in SAP Diagnostics Agent (CVE-2019-0330) – one of the Security Notes is an update to the other, which in itself is an update to a July 2019 Security Note.

“A SolMan admin can abuse the Diagnostic Agent (SMDAgent) bug and gain access to any SAP system connected to the SolMan system. Even though many SolMan admins have admin privileges in other SAP systems, certain scenarios may allow an escalation of privileges to those who don’t,” Onapsis says.

The fourth Hot News note released this month is an update to a patch released in April 2018, which addresses issues with the browser control Google Chromium delivered with SAP Business Client.

This month, SAP also addressed High severity security flaws in SAP HANA Extended Application Services (Advanced Model). Tracked as CVE-2019-0363 and CVE-2019-0364, the bugs could allow an authenticated attacker to cause a DoS condition.

Seven of the Security Notes released as part of the September 2019 Security Patch Day are rated Medium severity, including a privilege escalation in the SAP HANA database, Cross-Site Scripting (XSS) in Supplier Relationship Management, and multiple flaws in Business One.

Other Medium risk bugs include a DoS in Kernel (RFC), GUI for Windows and GUI for Java, improper session management in Business Objects Business Intelligence Platform (CMC), information disclosure in XI Runtime Workbench of NetWeaver Process Integration, and an update to an August 2018 Note addressing a Server Side Request Forgery (SSRF) in BusinessObjects.

Additionally, SAP addressed a Low severity information disclosure bug in the SAP Business One client (CVE-2019-0353).

In addition to the notes published as part of the September 2019 Patch Day, SAP also released a series of patches after the second Tuesday of last month and before the second Tuesday of this month.

“With 16 new or updated Security Notes released today, the number of published Security Notes is lower than in August. However, some of them include multiple fixes or important updates and extensions to already published notes and thus reminding us that patching is and will remain a continuous major task for every SAP customer,” Onapsis notes.

Related: SAP Patches Highest Number of Critical Flaws Since 2014

Related: SAP Patches Critical Flaw in Diagnostics Agent