Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches OS Command Execution Vulnerabilities

SAP released its November 2016 security updates Tuesday, addressing two very high priority (Hot News) Security Notes, both meant to resolve OS command execution vulnerabilities.

SAP released its November 2016 security updates Tuesday, addressing two very high priority (Hot News) Security Notes, both meant to resolve OS command execution vulnerabilities.

The two Critical flaws have a CVSS Base Score of 9.1 each and were found to affect the SAP Report for Terminology ExportI component and the SAP Text Conversion component, respectively. They could be exploited to execute OS commands without authorization.

Aside for the two Hot News Security Notes, SAP also released two High severity and 6 Medium risk Security Notes, for a total of 10 Patch Day Security Notes, Udit Singh, Patch Day Governance, Product Security Response Team, SAP, revealed.

Additionally, SAP released 5 Security Notes after the second Tuesday of October and before the second Tuesday of November, and also released an update to a previously released Security Note, ERPScan notes. Overall, the firm points out, the November updates close 16 vulnerabilities in SAP products (10 SAP Security Patch Day Notes and 6 Support Package Notes).

An attacker could leverage the Hot News OS command execution vulnerabilities to execute operating system commands without authorization. The commands will run with the same privileges as the service that executed the command and the attacker could access arbitrary files and directories located in a SAP server file system, such as application source code, configuration, and critical system files.

Other critical flaws patched by SAP this month include a Denial of Service vulnerability in SAP Message Server (CVSS Base Score: 7.5) and an Information Disclosure vulnerability in SAP Software Update Manager component (CVSS Base Score: 7.5). The former can be abused to terminate a process of a vulnerable component, while the latter can be leveraged to reveal additional information about the affected system.

Disclosed by ERPScan researchers, the Denial of Service vulnerability in SAP Message Server HTTP could allow an attacker to prevent legitimate users from accessing the service by crashing it. The Message Server, the researchers say, is used for communication between elements of a Java cluster and should not be accessible from the Internet.

However, 3783 SAP Message Servers HTTP are currently available online, most of them located in the United States, ERPScan says. India is the second most affected country, followed by China, Germany, and Singapore.

Advertisement. Scroll to continue reading.

Other vulnerabilities disclosed by ERPScan researchers and patched in SAP Security Patch Day – November 2016 include an Information Disclosure vulnerability in SAP System Landscape Directory (CVSS Base Score: 5.3), and an SQL Injection in SAP Hybris E-commerce Suite VirtualJDBC (however, no security note was provided for it, because the issue was inside Hybris cloud).

Overall this month, SAP patched 6 Missing authorization check flaws, 3 Cross-Site Scripting bugs, 2 OS command execution, 2 Information Disclosure, 1 DoS, 1 Implementation Flaw, and 1 Clickjacking vulnerability.

Related: Vulnerability Impacts Web-Exposed SAP Systems

Related: SAP Patches Multiple Implementation Flaws

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Coro, a provider of cybersecurity solutions for SMBs, has appointed Joe Sykora as CEO.

SonicWall has hired Rajnish Mishra as Senior Vice President and Chief Development Officer.

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.