Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Releases ‘Hot News’ Security Notes on First Patch Day of 2019

SAP released its first Security Patch Day for 2019 this week, which includes a total of 11 Security Notes, two of which are rated as Hot News. 

SAP released its first Security Patch Day for 2019 this week, which includes a total of 11 Security Notes, two of which are rated as Hot News. 

The most important of the Security Notes addresses vulnerabilities in SAP Cloud Connector. Tracked as CVE-2019-0246 and CVE-2019-0247, the bugs both have a CVSS score of 9.3. 

This is the second Security Note that SAP publishes for the platform, and is the first to feature a Critical severity rating (the only other note for Cloud Connector was published in April 2018 with a Medium severity rating), Onapsis, a firm that specializes in securing Oracle and SAP applications, points out

An attacker exploiting the vulnerability could gain access to service and read, modify or delete information, while also being able to access administrative or privileged functionalities, ERPScan, another company that secures Oracle and SAP products, explains

“The attacker can also use an OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with same privileges of the service that executed a command. The hacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files,” ERPScan says.

The second Hot News Security Note published by SAP this week addresses an information disclosure issue in Landscape Management. Tracked as CVE-2019-0249, the vulnerability carries a CVSS score of 9.1. 

An attacker could abuse the information disclosure flaw to reveal additional information such as system data, debugging information, and the like, which could then be abused to explore the system and plan other attacks, ERPScan points out. 

SAP’s January 2019 patches also include one High severity Security Note. Tracked as CVE-2019-0243 and featuring a CVSS score of 7.1, the vulnerability is a Missing Authorization check that impacts SAP BW/4HANA. 

Advertisement. Scroll to continue reading.

All of the remaining Security Notes address Medium risk vulnerabilities such as Information Disclosure, Cross-Site Scripting, Denial of Service, and Missing Authorization check. 

Impacted SAP products include Financial Consolidation Cube Designer, Commerce, Work Manager, CRM WebClient UI, Business Objects, Gateway of ABAP Application Server, and Enterprise Financial Services.

The new set of SAP patches also includes 7 Support Package Notes, for a total of 18 Security Notes. One of the patches is an update to a previously release note. 

Cross-Site Scripting was the most encountered vulnerability type, followed by Implementation Flaw and Information Disclosure. The remaining bugs were Missing Authorization Check issues, Denial of Service vulnerabilities, and one OS Command Execution flaw. 

Related: SAP Patches Critical Vulnerability in Hybris Commerce

Related: SAP Patches Critical Vulnerability in HANA Streaming Analytics

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.