Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



SAP Releases Over Dozen High Priority Patches

Enterprise software solutions provider SAP has released its Security Patch Day updates for November 2015 to address nearly two dozen issues.

Enterprise software solutions provider SAP has released its Security Patch Day updates for November 2015 to address nearly two dozen issues.

This month’s updates include 15 Patch Day security notes and eight Support Package notes. The Patch Day notes include nine new fixes, four updates to previous notes, and two out-of-band patches. Five of these have been rated “hot news” (very high), and eight have been classified as having “high” priority.

The list of patched issues includes code injection, information disclosure, cross-site request forgery (CSRF), directory traversal, and cross-site scripting (XSS) vulnerabilities.

According to SAP security firm ERPScan, one of the most serious vulnerabilities patched this month, based on its CVSS score, is a CSRF bug in the Web UI Framework (WebUIF), a component of SAP’s Customer Relationship Management (CRM) application. An attacker can exploit this vulnerability to perform operations on an authenticated user’s behalf if they can trick the victim into clicking on a specially crafted link.

Two other high priority notes are for an information disclosure flaw in SAP Business Intelligence and an OS command execution vulnerability in a component of SAP ABAP. Both these issues had been addressed previously, but SAP has now released updated patches.

The patches also fix a couple of vulnerabilities reported by ERPScan researchers. One of the issues found by the security firm is related to the use of Base64 and DES to encrypt passwords in SAP Manufacturing Integration and Intelligence (xMII).

The second security hole identified by ERPScan is a high severity denial-of-service (DoS) flaw in SAP Plant Connection (SAP PCo), a solution designed for data exchanges between a SAP system and industry-specific data sources, such as SPC, plant historian, and process control systems.

Advertisement. Scroll to continue reading.

ERPScan believes these vulnerabilities can pose a serious risk because the affected solutions serve as a bridge between the industrial and enterprise resource planning (ERP) environments.

“SAP’s Business applications collect data about critical processes via SAP xMII. SAP xMII systems are connected with SAP PCo systems which exchange information with OPC servers which, in their turn, have a direct access to PLC devices and systems that manage critical processes,” ERPScan explained in a blog post. “These vulnerabilities can be used as a starting point of sophisticated multi-stage attack aiming to get control over linked systems.”

Experts will show at the Black Hat Europe security conference how such vulnerabilities can be exploited to target companies in the oil and gas sector.

Earlier this week, SAP security firm Onapsis published a total of 21 advisories detailing vulnerabilities patched by SAP over the past few months. The flaws described by the company affect SAP HANA-based applications such as S/4HANA and SAP Cloud Solutions.

According to Onapsis, these vulnerabilities could affect more than 10,000 SAP customers, including many Forbes 2000 companies across various industry verticals.

Related Reading: Serious Vulnerabilities Patched in SAP Products

Related Reading: Flaw in SAP Firm’s XSS Filter Exposed Many Sites to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.