Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Releases ‘Hot News’ Security Notes on First Patch Day of 2019

SAP released its first Security Patch Day for 2019 this week, which includes a total of 11 Security Notes, two of which are rated as Hot News. 

SAP released its first Security Patch Day for 2019 this week, which includes a total of 11 Security Notes, two of which are rated as Hot News. 

The most important of the Security Notes addresses vulnerabilities in SAP Cloud Connector. Tracked as CVE-2019-0246 and CVE-2019-0247, the bugs both have a CVSS score of 9.3. 

This is the second Security Note that SAP publishes for the platform, and is the first to feature a Critical severity rating (the only other note for Cloud Connector was published in April 2018 with a Medium severity rating), Onapsis, a firm that specializes in securing Oracle and SAP applications, points out

An attacker exploiting the vulnerability could gain access to service and read, modify or delete information, while also being able to access administrative or privileged functionalities, ERPScan, another company that secures Oracle and SAP products, explains

“The attacker can also use an OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with same privileges of the service that executed a command. The hacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files,” ERPScan says.

The second Hot News Security Note published by SAP this week addresses an information disclosure issue in Landscape Management. Tracked as CVE-2019-0249, the vulnerability carries a CVSS score of 9.1. 

An attacker could abuse the information disclosure flaw to reveal additional information such as system data, debugging information, and the like, which could then be abused to explore the system and plan other attacks, ERPScan points out. 

SAP’s January 2019 patches also include one High severity Security Note. Tracked as CVE-2019-0243 and featuring a CVSS score of 7.1, the vulnerability is a Missing Authorization check that impacts SAP BW/4HANA. 

Advertisement. Scroll to continue reading.

All of the remaining Security Notes address Medium risk vulnerabilities such as Information Disclosure, Cross-Site Scripting, Denial of Service, and Missing Authorization check. 

Impacted SAP products include Financial Consolidation Cube Designer, Commerce, Work Manager, CRM WebClient UI, Business Objects, Gateway of ABAP Application Server, and Enterprise Financial Services.

The new set of SAP patches also includes 7 Support Package Notes, for a total of 18 Security Notes. One of the patches is an update to a previously release note. 

Cross-Site Scripting was the most encountered vulnerability type, followed by Implementation Flaw and Information Disclosure. The remaining bugs were Missing Authorization Check issues, Denial of Service vulnerabilities, and one OS Command Execution flaw. 

Related: SAP Patches Critical Vulnerability in Hybris Commerce

Related: SAP Patches Critical Vulnerability in HANA Streaming Analytics

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.