Security Experts:

Connect with us

Hi, what are you looking for?


Security Infrastructure

SAP Patches Flaws in xMII, Other Products

The February 2016 Patch Day Security Notes released by enterprise software maker SAP on Tuesday address vulnerabilities in several of the company’s products.

The February 2016 Patch Day Security Notes released by enterprise software maker SAP on Tuesday address vulnerabilities in several of the company’s products.

The patches released this week address 16 issues, including 13 that have been rated “high severity.” SAP security experts at ERPScan pointed out that the vendor also released two Support Package Notes, and five additional patches have been made available over the past month since the release of the January 2016 updates.

The most common types of flaws patched this month are cross-site scripting (XSS), missing authorization check, and implementation flaws.

Four of the security holes fixed this month were reported to SAP by ERPScan, including a directory traversal in SAP xMII (Manufacturing Integration and Intelligence), a solution designed to connect an organization’s business operations to systems on the plant floor. The flaw can be exploited by an attacker to access potentially sensitive information stored on the SAP server filesystem.

This SAP product plays an important role in the operations of manufacturing, energy, oil and gas, and utility companies. Vulnerabilities in xMII can be leveraged in the first phase of a multi-stage attack whose goal is to give malicious actors control over plant devices and manufacturing systems, experts warned.

At the Black Hat Europe conference last year, ERPScan researchers showed how attackers can target companies in the oil and gas sector using vulnerabilities in SAP xMII and other business applications that bridge operational and information technology networks.

ERPScan also reported three other new flaws that have been patched by SAP, including a SQL injection in SAP Universal Description, Discovery and Integration (UDDI), an information disclosure issue in SAP Universal Worklist Configuration, and an XSS in SAP Java Proxy Runtime.

A blog post published by ERPScan on Tuesday also describes three other newly patched vulnerabilities that the security firm has classified as “critical.” One of them, with a CVSS score of 7.5, is an OS command execution flaw in SAP’s TREX search technology.

Another serious weakness can be exploited for denial-of-service (DoS) attacks. The flaw, found in the SAPSSOEXT library, can be exploited by an attacker to terminate a service, which could lead to system downtime and disruption of the business process.

ERPScan has also advised SAP customers to quickly apply the patch for an XSS vulnerability in HANA Extended Application Services SAPUI5.

Related: SAP Security Updates Patch 4 New Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture


The White House announced on Wednesday that the Industrial Control Systems (ICS) Cybersecurity Initiative has been expanded to include the chemical sector.


Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

Data Protection

Artificial intelligence is more artificial than intelligent.

Incident Response

Created and maintained by MITRE, MITRE D3FEND is a framework that provides a library of defensive cybersecurity countermeasures and technical components to help organizations...

Application Security

Mobile & Wireless

US authorities announced a ban Friday on the import or sale of communications equipment deemed "an unacceptable risk to national security" -- including gear...