Security Experts:

Connect with us

Hi, what are you looking for?



SAP Patches OS Command Execution Vulnerabilities

SAP released its November 2016 security updates Tuesday, addressing two very high priority (Hot News) Security Notes, both meant to resolve OS command execution vulnerabilities.

SAP released its November 2016 security updates Tuesday, addressing two very high priority (Hot News) Security Notes, both meant to resolve OS command execution vulnerabilities.

The two Critical flaws have a CVSS Base Score of 9.1 each and were found to affect the SAP Report for Terminology ExportI component and the SAP Text Conversion component, respectively. They could be exploited to execute OS commands without authorization.

Aside for the two Hot News Security Notes, SAP also released two High severity and 6 Medium risk Security Notes, for a total of 10 Patch Day Security Notes, Udit Singh, Patch Day Governance, Product Security Response Team, SAP, revealed.

Additionally, SAP released 5 Security Notes after the second Tuesday of October and before the second Tuesday of November, and also released an update to a previously released Security Note, ERPScan notes. Overall, the firm points out, the November updates close 16 vulnerabilities in SAP products (10 SAP Security Patch Day Notes and 6 Support Package Notes).

An attacker could leverage the Hot News OS command execution vulnerabilities to execute operating system commands without authorization. The commands will run with the same privileges as the service that executed the command and the attacker could access arbitrary files and directories located in a SAP server file system, such as application source code, configuration, and critical system files.

Other critical flaws patched by SAP this month include a Denial of Service vulnerability in SAP Message Server (CVSS Base Score: 7.5) and an Information Disclosure vulnerability in SAP Software Update Manager component (CVSS Base Score: 7.5). The former can be abused to terminate a process of a vulnerable component, while the latter can be leveraged to reveal additional information about the affected system.

Disclosed by ERPScan researchers, the Denial of Service vulnerability in SAP Message Server HTTP could allow an attacker to prevent legitimate users from accessing the service by crashing it. The Message Server, the researchers say, is used for communication between elements of a Java cluster and should not be accessible from the Internet.

However, 3783 SAP Message Servers HTTP are currently available online, most of them located in the United States, ERPScan says. India is the second most affected country, followed by China, Germany, and Singapore.

Other vulnerabilities disclosed by ERPScan researchers and patched in SAP Security Patch Day – November 2016 include an Information Disclosure vulnerability in SAP System Landscape Directory (CVSS Base Score: 5.3), and an SQL Injection in SAP Hybris E-commerce Suite VirtualJDBC (however, no security note was provided for it, because the issue was inside Hybris cloud).

Overall this month, SAP patched 6 Missing authorization check flaws, 3 Cross-Site Scripting bugs, 2 OS command execution, 2 Information Disclosure, 1 DoS, 1 Implementation Flaw, and 1 Clickjacking vulnerability.

Related: Vulnerability Impacts Web-Exposed SAP Systems

Related: SAP Patches Multiple Implementation Flaws

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.