SAP released its November 2016 security updates Tuesday, addressing two very high priority (Hot News) Security Notes, both meant to resolve OS command execution vulnerabilities.
The two Critical flaws have a CVSS Base Score of 9.1 each and were found to affect the SAP Report for Terminology ExportI component and the SAP Text Conversion component, respectively. They could be exploited to execute OS commands without authorization.
Aside for the two Hot News Security Notes, SAP also released two High severity and 6 Medium risk Security Notes, for a total of 10 Patch Day Security Notes, Udit Singh, Patch Day Governance, Product Security Response Team, SAP, revealed.
Additionally, SAP released 5 Security Notes after the second Tuesday of October and before the second Tuesday of November, and also released an update to a previously released Security Note, ERPScan notes. Overall, the firm points out, the November updates close 16 vulnerabilities in SAP products (10 SAP Security Patch Day Notes and 6 Support Package Notes).
An attacker could leverage the Hot News OS command execution vulnerabilities to execute operating system commands without authorization. The commands will run with the same privileges as the service that executed the command and the attacker could access arbitrary files and directories located in a SAP server file system, such as application source code, configuration, and critical system files.
Other critical flaws patched by SAP this month include a Denial of Service vulnerability in SAP Message Server (CVSS Base Score: 7.5) and an Information Disclosure vulnerability in SAP Software Update Manager component (CVSS Base Score: 7.5). The former can be abused to terminate a process of a vulnerable component, while the latter can be leveraged to reveal additional information about the affected system.
Disclosed by ERPScan researchers, the Denial of Service vulnerability in SAP Message Server HTTP could allow an attacker to prevent legitimate users from accessing the service by crashing it. The Message Server, the researchers say, is used for communication between elements of a Java cluster and should not be accessible from the Internet.
However, 3783 SAP Message Servers HTTP are currently available online, most of them located in the United States, ERPScan says. India is the second most affected country, followed by China, Germany, and Singapore.
Other vulnerabilities disclosed by ERPScan researchers and patched in SAP Security Patch Day – November 2016 include an Information Disclosure vulnerability in SAP System Landscape Directory (CVSS Base Score: 5.3), and an SQL Injection in SAP Hybris E-commerce Suite VirtualJDBC (however, no security note was provided for it, because the issue was inside Hybris cloud).
Overall this month, SAP patched 6 Missing authorization check flaws, 3 Cross-Site Scripting bugs, 2 OS command execution, 2 Information Disclosure, 1 DoS, 1 Implementation Flaw, and 1 Clickjacking vulnerability.