SAP released its first Security Patch Day for 2019 this week, which includes a total of 11 Security Notes, two of which are rated as Hot News.
The most important of the Security Notes addresses vulnerabilities in SAP Cloud Connector. Tracked as CVE-2019-0246 and CVE-2019-0247, the bugs both have a CVSS score of 9.3.
This is the second Security Note that SAP publishes for the platform, and is the first to feature a Critical severity rating (the only other note for Cloud Connector was published in April 2018 with a Medium severity rating), Onapsis, a firm that specializes in securing Oracle and SAP applications, points out.
An attacker exploiting the vulnerability could gain access to service and read, modify or delete information, while also being able to access administrative or privileged functionalities, ERPScan, another company that secures Oracle and SAP products, explains.
“The attacker can also use an OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with same privileges of the service that executed a command. The hacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files,” ERPScan says.
The second Hot News Security Note published by SAP this week addresses an information disclosure issue in Landscape Management. Tracked as CVE-2019-0249, the vulnerability carries a CVSS score of 9.1.
An attacker could abuse the information disclosure flaw to reveal additional information such as system data, debugging information, and the like, which could then be abused to explore the system and plan other attacks, ERPScan points out.
SAP’s January 2019 patches also include one High severity Security Note. Tracked as CVE-2019-0243 and featuring a CVSS score of 7.1, the vulnerability is a Missing Authorization check that impacts SAP BW/4HANA.
All of the remaining Security Notes address Medium risk vulnerabilities such as Information Disclosure, Cross-Site Scripting, Denial of Service, and Missing Authorization check.
Impacted SAP products include Financial Consolidation Cube Designer, Commerce, Work Manager, CRM WebClient UI, Business Objects, Gateway of ABAP Application Server, and Enterprise Financial Services.
The new set of SAP patches also includes 7 Support Package Notes, for a total of 18 Security Notes. One of the patches is an update to a previously release note.
Cross-Site Scripting was the most encountered vulnerability type, followed by Implementation Flaw and Information Disclosure. The remaining bugs were Missing Authorization Check issues, Denial of Service vulnerabilities, and one OS Command Execution flaw.