Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches Critical Vulnerability in NetWeaver

Four of the Security Notes published by SAP as part of the September 2019 Security Patch Day are rated Hot News, the same as last month.

Four of the Security Notes published by SAP as part of the September 2019 Security Patch Day are rated Hot News, the same as last month.

Of the four Security Notes, only one is newly released. It addresses CVE-2019-0355 (CVSS score of 9.1), a code injection vulnerability in SAP NetWeaver AS for Java (Web Container).

The issue resides in the SAP default implementation of the HTTP PUT method and allows attackers to bypass the input validation check. Thus, an attacker could upload dynamic web content and can take control of the application, Onapsis, a firm specialized in securing Oracle and SAP products, explains.

An attacker able to successfully exploit the vulnerability could execute commands without authorization, access sensitive information on the system, and cause a denial of service (DoS) condition.

Two of the remaining Hot News notes are updates to previously released patches addressing an OS command injection vulnerability in SAP Diagnostics Agent (CVE-2019-0330) – one of the Security Notes is an update to the other, which in itself is an update to a July 2019 Security Note.

“A SolMan admin can abuse the Diagnostic Agent (SMDAgent) bug and gain access to any SAP system connected to the SolMan system. Even though many SolMan admins have admin privileges in other SAP systems, certain scenarios may allow an escalation of privileges to those who don’t,” Onapsis says.

The fourth Hot News note released this month is an update to a patch released in April 2018, which addresses issues with the browser control Google Chromium delivered with SAP Business Client.

This month, SAP also addressed High severity security flaws in SAP HANA Extended Application Services (Advanced Model). Tracked as CVE-2019-0363 and CVE-2019-0364, the bugs could allow an authenticated attacker to cause a DoS condition.

Advertisement. Scroll to continue reading.

Seven of the Security Notes released as part of the September 2019 Security Patch Day are rated Medium severity, including a privilege escalation in the SAP HANA database, Cross-Site Scripting (XSS) in Supplier Relationship Management, and multiple flaws in Business One.

Other Medium risk bugs include a DoS in Kernel (RFC), GUI for Windows and GUI for Java, improper session management in Business Objects Business Intelligence Platform (CMC), information disclosure in XI Runtime Workbench of NetWeaver Process Integration, and an update to an August 2018 Note addressing a Server Side Request Forgery (SSRF) in BusinessObjects.

Additionally, SAP addressed a Low severity information disclosure bug in the SAP Business One client (CVE-2019-0353).

In addition to the notes published as part of the September 2019 Patch Day, SAP also released a series of patches after the second Tuesday of last month and before the second Tuesday of this month.

“With 16 new or updated Security Notes released today, the number of published Security Notes is lower than in August. However, some of them include multiple fixes or important updates and extensions to already published notes and thus reminding us that patching is and will remain a continuous major task for every SAP customer,” Onapsis notes.

Related: SAP Patches Highest Number of Critical Flaws Since 2014

Related: SAP Patches Critical Flaw in Diagnostics Agent

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.