CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Releases Critical Updates for Two Security Notes

Of the ten Security Notes in SAP’s June 2018 Security Patch Day, five were updates for previously released Notes, including two rated Hot News (Critical severity).

Impacting SAP Business Client (version 6.5) and SAP BASIS (versions 7.31, 7.40, 7.50, 7.51, 7.65, 7.66), the two Hot News Security Notes feature CVSS scores of 9.8 and 9.1, respectively.

Of the ten Security Notes in SAP’s June 2018 Security Patch Day, five were updates for previously released Notes, including two rated Hot News (Critical severity).

Impacting SAP Business Client (version 6.5) and SAP BASIS (versions 7.31, 7.40, 7.50, 7.51, 7.65, 7.66), the two Hot News Security Notes feature CVSS scores of 9.8 and 9.1, respectively.

The former is an update for a Security Note released on April 2018 Patch Day, described as security updates for third party web browser controls delivered with SAP Business Client, while the latter is an update for a Note released on November 2016 Patch Day, described as an OS command injection vulnerability in the Report for Terminology Export component.

The remaining Security Notes address four vulnerabilities considered High severity (including an update to a Security Note released on April 2018 Patch Day) and four Medium risk flaws (two are updates to Security Notes released on August 2014 Patch Day and May 2018 Patch Day, respectively), SAP’s advisory reveals.

The most important of the high-risk flaws is an information disclosure vulnerability (CVE-2018-2425) in SAP Business One (CVSS Base Score: 8.4). The bug exists in the Business One version for the SAP HANA backup service and could allow an attacker to access information which would otherwise be restricted, Onapsis explains.

Next in line is a remote command execution flaw (CVE-2015-0899) in SAP Internet Sales (CVSS Base Score: 7.5), followed by a denial-of-service bug (CVE-2014-0050) in SAP Internet Sales (CVSS Base Score: 7.3).

The last high-risk Security Note released this month is an update to a previous Note addressing CVE-2018-2408 (CVSS Base Score: 7.3), an improper session management bug in SAP Business Objects.

The Medium risk flaws addressed this month include a cross-site scripting (XSS) vulnerability in SAPUI5 (CVE-2018-2424) and information disclosure in UI5 Handler (CVE-2018-2428). They are accompanied by an update to a Security Note addressing a potential remote code execution in SAP CrystalReports, and another patching a missing XML validation vulnerability in SAP Identity Management (CVE-2018-2416).

Advertisement. Scroll to continue reading.

According to ERPScan, a company that secures Oracle and SAP products, the June 2018 Patch Day also includes 4 Support Package Notes, for a total of 14 Notes. Half of the Notes were released after the second Tuesday of the last month and before the second Tuesday of this month.

The most common vulnerability types addressed this month are XSS and remote command execution, followed by implementation flaws and information disclosure. SAP also addressed XML external entity, DoS, OS command execution, and buffer overflow issues.

Related: SAP Patches Internet Graphics Server Flaws

Related: 13 Year-Old Configuration Flaw Impacts Most SAP Deployments

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.