Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Releases ‘Hot News’ Security Notes on First Patch Day of 2019

SAP released its first Security Patch Day for 2019 this week, which includes a total of 11 Security Notes, two of which are rated as Hot News. 

SAP released its first Security Patch Day for 2019 this week, which includes a total of 11 Security Notes, two of which are rated as Hot News. 

The most important of the Security Notes addresses vulnerabilities in SAP Cloud Connector. Tracked as CVE-2019-0246 and CVE-2019-0247, the bugs both have a CVSS score of 9.3. 

This is the second Security Note that SAP publishes for the platform, and is the first to feature a Critical severity rating (the only other note for Cloud Connector was published in April 2018 with a Medium severity rating), Onapsis, a firm that specializes in securing Oracle and SAP applications, points out

An attacker exploiting the vulnerability could gain access to service and read, modify or delete information, while also being able to access administrative or privileged functionalities, ERPScan, another company that secures Oracle and SAP products, explains

“The attacker can also use an OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with same privileges of the service that executed a command. The hacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files,” ERPScan says.

The second Hot News Security Note published by SAP this week addresses an information disclosure issue in Landscape Management. Tracked as CVE-2019-0249, the vulnerability carries a CVSS score of 9.1. 

An attacker could abuse the information disclosure flaw to reveal additional information such as system data, debugging information, and the like, which could then be abused to explore the system and plan other attacks, ERPScan points out. 

SAP’s January 2019 patches also include one High severity Security Note. Tracked as CVE-2019-0243 and featuring a CVSS score of 7.1, the vulnerability is a Missing Authorization check that impacts SAP BW/4HANA. 

All of the remaining Security Notes address Medium risk vulnerabilities such as Information Disclosure, Cross-Site Scripting, Denial of Service, and Missing Authorization check. 

Impacted SAP products include Financial Consolidation Cube Designer, Commerce, Work Manager, CRM WebClient UI, Business Objects, Gateway of ABAP Application Server, and Enterprise Financial Services.

The new set of SAP patches also includes 7 Support Package Notes, for a total of 18 Security Notes. One of the patches is an update to a previously release note. 

Cross-Site Scripting was the most encountered vulnerability type, followed by Implementation Flaw and Information Disclosure. The remaining bugs were Missing Authorization Check issues, Denial of Service vulnerabilities, and one OS Command Execution flaw. 

Related: SAP Patches Critical Vulnerability in Hybris Commerce

Related: SAP Patches Critical Vulnerability in HANA Streaming Analytics

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.