The February 2016 Patch Day Security Notes released by enterprise software maker SAP on Tuesday address vulnerabilities in several of the company’s products.
The patches released this week address 16 issues, including 13 that have been rated “high severity.” SAP security experts at ERPScan pointed out that the vendor also released two Support Package Notes, and five additional patches have been made available over the past month since the release of the January 2016 updates.
The most common types of flaws patched this month are cross-site scripting (XSS), missing authorization check, and implementation flaws.
Four of the security holes fixed this month were reported to SAP by ERPScan, including a directory traversal in SAP xMII (Manufacturing Integration and Intelligence), a solution designed to connect an organization’s business operations to systems on the plant floor. The flaw can be exploited by an attacker to access potentially sensitive information stored on the SAP server filesystem.
This SAP product plays an important role in the operations of manufacturing, energy, oil and gas, and utility companies. Vulnerabilities in xMII can be leveraged in the first phase of a multi-stage attack whose goal is to give malicious actors control over plant devices and manufacturing systems, experts warned.
At the Black Hat Europe conference last year, ERPScan researchers showed how attackers can target companies in the oil and gas sector using vulnerabilities in SAP xMII and other business applications that bridge operational and information technology networks.
ERPScan also reported three other new flaws that have been patched by SAP, including a SQL injection in SAP Universal Description, Discovery and Integration (UDDI), an information disclosure issue in SAP Universal Worklist Configuration, and an XSS in SAP Java Proxy Runtime.
A blog post published by ERPScan on Tuesday also describes three other newly patched vulnerabilities that the security firm has classified as “critical.” One of them, with a CVSS score of 7.5, is an OS command execution flaw in SAP’s TREX search technology.
Another serious weakness can be exploited for denial-of-service (DoS) attacks. The flaw, found in the SAPSSOEXT library, can be exploited by an attacker to terminate a service, which could lead to system downtime and disruption of the business process.
ERPScan has also advised SAP customers to quickly apply the patch for an XSS vulnerability in HANA Extended Application Services SAPUI5.