Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Releases Critical Updates for Two Security Notes

Of the ten Security Notes in SAP’s June 2018 Security Patch Day, five were updates for previously released Notes, including two rated Hot News (Critical severity).

Impacting SAP Business Client (version 6.5) and SAP BASIS (versions 7.31, 7.40, 7.50, 7.51, 7.65, 7.66), the two Hot News Security Notes feature CVSS scores of 9.8 and 9.1, respectively.

Of the ten Security Notes in SAP’s June 2018 Security Patch Day, five were updates for previously released Notes, including two rated Hot News (Critical severity).

Impacting SAP Business Client (version 6.5) and SAP BASIS (versions 7.31, 7.40, 7.50, 7.51, 7.65, 7.66), the two Hot News Security Notes feature CVSS scores of 9.8 and 9.1, respectively.

The former is an update for a Security Note released on April 2018 Patch Day, described as security updates for third party web browser controls delivered with SAP Business Client, while the latter is an update for a Note released on November 2016 Patch Day, described as an OS command injection vulnerability in the Report for Terminology Export component.

The remaining Security Notes address four vulnerabilities considered High severity (including an update to a Security Note released on April 2018 Patch Day) and four Medium risk flaws (two are updates to Security Notes released on August 2014 Patch Day and May 2018 Patch Day, respectively), SAP’s advisory reveals.

The most important of the high-risk flaws is an information disclosure vulnerability (CVE-2018-2425) in SAP Business One (CVSS Base Score: 8.4). The bug exists in the Business One version for the SAP HANA backup service and could allow an attacker to access information which would otherwise be restricted, Onapsis explains.

Next in line is a remote command execution flaw (CVE-2015-0899) in SAP Internet Sales (CVSS Base Score: 7.5), followed by a denial-of-service bug (CVE-2014-0050) in SAP Internet Sales (CVSS Base Score: 7.3).

The last high-risk Security Note released this month is an update to a previous Note addressing CVE-2018-2408 (CVSS Base Score: 7.3), an improper session management bug in SAP Business Objects.

The Medium risk flaws addressed this month include a cross-site scripting (XSS) vulnerability in SAPUI5 (CVE-2018-2424) and information disclosure in UI5 Handler (CVE-2018-2428). They are accompanied by an update to a Security Note addressing a potential remote code execution in SAP CrystalReports, and another patching a missing XML validation vulnerability in SAP Identity Management (CVE-2018-2416).

Advertisement. Scroll to continue reading.

According to ERPScan, a company that secures Oracle and SAP products, the June 2018 Patch Day also includes 4 Support Package Notes, for a total of 14 Notes. Half of the Notes were released after the second Tuesday of the last month and before the second Tuesday of this month.

The most common vulnerability types addressed this month are XSS and remote command execution, followed by implementation flaws and information disclosure. SAP also addressed XML external entity, DoS, OS command execution, and buffer overflow issues.

Related: SAP Patches Internet Graphics Server Flaws

Related: 13 Year-Old Configuration Flaw Impacts Most SAP Deployments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.