Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Releases 18 Security Notes in June 2017 Patch Day

SAP this week released its June 2017 set of security patches to address various bugs across its products, including a denial of service vulnerability that potentially impacts over 3,400 services exposed to the Internet.

SAP this week released its June 2017 set of security patches to address various bugs across its products, including a denial of service vulnerability that potentially impacts over 3,400 services exposed to the Internet.

SAP included 18 security notes in its latest SAP Security Patch Day. Updates to previously released notes and 11 security notes being released after the second Tuesday of the previous month and before the second Tuesday of this month make for a total of 29 security notes being part of the June Patch Day (21 SAP Security Patch Day Notes and 8 Support Package Notes).

Five of the release notes had a High priority rating with two of the vulnerabilities featuring a CVSS score of 7.5. 23 of the issues had a Medium risk rating, and one was considered Low severity, ERPScan, a company that specializes in securing SAP and Oracle products, points out.

The most common vulnerability type addressed this month is Cross-Site Scripting (XSS), at 8 bugs, followed by denial of service (DoS) and information disclosure at 4, XML external entity at 3, missing authorization checks at 2, and cross-site request forgery, SQL injection, authentication bypass, and open redirect at 1 each.

The most important of the addressed issues were DoS bugs in SAP NetWeaver Instance Agent Service, and in BILaunchPad and Central Management Console, featuring a CVSS base score of 7.5 each. By terminating the process of the vulnerable component, an attacker could prevent access to the service.

“One of two Notes assessed at High priority is a DoS vulnerability in SAP Host Agent Service identified by our researchers. The vulnerability is remotely exploitable without authentication. We have also conducted a custom scanning that revealed that there are about 3,400 potentially vulnerable such services available online,” ERPScan’s Darya Maenkova told SecurityWeek in an email.

The issue, ERPScan says, was reported to SAP in November 2016, and could cause response delays and service interruptions, with direct impact on availability. Most of the vulnerable services exposed to the Internet are located in the United States (780), India (691), China (216), Korea (126), and Mexico (114).

Other High priority flaws that SAP addressed this month include a Cross-Site Scripting vulnerability (CVSS Base Score: 7.1) in SAP BusinessObjects Web Intelligence HTML interface and a Missing certificate verification vulnerability (CVSS Base Score: 7) in SAP CommonCryptoLib (a bug related to HTTPS certificates validation).

Advertisement. Scroll to continue reading.

Another High risk security note is an update to a note released in March 2017: Improved security for outgoing HTTPS connections in SAP NetWeaver (CVSS Base Score: 7.4). As Onapsis explains, this note “includes more information on how to properly configure HTTPS connections securely.”

Related: SAP Patches 17 Vulnerabilities With May 2017 Security Update

Related: SAP Patches Critical Code Injection Flaw in TREX

Related: SAP Vulnerability Exposes Enterprises to Ransomware, Other Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.