Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Releases Critical Updates for Two Security Notes

Of the ten Security Notes in SAP’s June 2018 Security Patch Day, five were updates for previously released Notes, including two rated Hot News (Critical severity).

Impacting SAP Business Client (version 6.5) and SAP BASIS (versions 7.31, 7.40, 7.50, 7.51, 7.65, 7.66), the two Hot News Security Notes feature CVSS scores of 9.8 and 9.1, respectively.

Of the ten Security Notes in SAP’s June 2018 Security Patch Day, five were updates for previously released Notes, including two rated Hot News (Critical severity).

Impacting SAP Business Client (version 6.5) and SAP BASIS (versions 7.31, 7.40, 7.50, 7.51, 7.65, 7.66), the two Hot News Security Notes feature CVSS scores of 9.8 and 9.1, respectively.

The former is an update for a Security Note released on April 2018 Patch Day, described as security updates for third party web browser controls delivered with SAP Business Client, while the latter is an update for a Note released on November 2016 Patch Day, described as an OS command injection vulnerability in the Report for Terminology Export component.

The remaining Security Notes address four vulnerabilities considered High severity (including an update to a Security Note released on April 2018 Patch Day) and four Medium risk flaws (two are updates to Security Notes released on August 2014 Patch Day and May 2018 Patch Day, respectively), SAP’s advisory reveals.

The most important of the high-risk flaws is an information disclosure vulnerability (CVE-2018-2425) in SAP Business One (CVSS Base Score: 8.4). The bug exists in the Business One version for the SAP HANA backup service and could allow an attacker to access information which would otherwise be restricted, Onapsis explains.

Next in line is a remote command execution flaw (CVE-2015-0899) in SAP Internet Sales (CVSS Base Score: 7.5), followed by a denial-of-service bug (CVE-2014-0050) in SAP Internet Sales (CVSS Base Score: 7.3).

The last high-risk Security Note released this month is an update to a previous Note addressing CVE-2018-2408 (CVSS Base Score: 7.3), an improper session management bug in SAP Business Objects.

The Medium risk flaws addressed this month include a cross-site scripting (XSS) vulnerability in SAPUI5 (CVE-2018-2424) and information disclosure in UI5 Handler (CVE-2018-2428). They are accompanied by an update to a Security Note addressing a potential remote code execution in SAP CrystalReports, and another patching a missing XML validation vulnerability in SAP Identity Management (CVE-2018-2416).

According to ERPScan, a company that secures Oracle and SAP products, the June 2018 Patch Day also includes 4 Support Package Notes, for a total of 14 Notes. Half of the Notes were released after the second Tuesday of the last month and before the second Tuesday of this month.

The most common vulnerability types addressed this month are XSS and remote command execution, followed by implementation flaws and information disclosure. SAP also addressed XML external entity, DoS, OS command execution, and buffer overflow issues.

Related: SAP Patches Internet Graphics Server Flaws

Related: 13 Year-Old Configuration Flaw Impacts Most SAP Deployments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.