Connect with us

Hi, what are you looking for?



SAP Resolves 19 Vulnerabilities With August 2017 Security Notes

SAP this week released another set of security patches for its products to address a total of 19 vulnerabilities, most of which are rated Medium severity.

SAP this week released another set of security patches for its products to address a total of 19 vulnerabilities, most of which are rated Medium severity.

A total of 16 security notes were included in the SAP Security Patch Day in August 2017: three rated High risk, 11 rated Medium severity, and two Low risk.

SAP also released 3 Support Package Notes, for a total of 19 patches. 1 of the notes was released after the second Tuesday of the previous month and before the second Tuesday of this month.

The most important of these issues include a Directory Traversal vulnerability (CVSS Base Score: 7.7) in SAP NetWeaver AS Java Web Container, a Code Injection vulnerability (CVSS Base Score: 7.4) in Visual Composer 04s iviews, and a Cross-Site AJAX Requests vulnerability (CVSS Base Score: 7.3) in SAP BusinessObjects (in a third-party Java library used by the application).

The Visual Composer 04s iviews flaw “allows attackers to inject malicious code into the back end application. By simply having end users access a specially crafted URL, unwanted applications can be started on the client machine by an attacker. Depending on who makes use of your Enterprise Portal, clients in this sense could be employees, customers, partners or suppliers,” Onapsis reveals.

According to the company, which specializes in securing SAP and Oracle applications, a large number of Visual Composer versions, starting from 7.00, are affected. Thus, even if the component might not be actively used within an organization, it could be leveraged as part of an attack.

The most common vulnerability type resolved this month was cross-site scripting. Five such issues were addressed in SAP applications, along with two directory traversal bugs, two open redirects, two cross-site request forgery flaws, two SQL injections, one missing authorization check, one information disclosure, one code injection, one SSRF bug, one implementation flaw, and one denial of service.

Advertisement. Scroll to continue reading.

“Cross-Site Scripting remains the most widespread security loophole in SAP Applications with 20% of the released Notes addressing this type of issues,” ERPScan, another company focused on securing SAP and Oracle software, says.

One of the XSS issues resolved this month impacted the Adobe Flex Software Development Kit, meaning that custom applications written with the help of the library are susceptible to XSS vulnerability, ERPScan points out. SAP’s Web Dynpro Flex appears affected.

The bug was initially found in 2011 and patched when the appropriate patch was released in March 2012. It allowed an attacker to remotely inject arbitrary web script or HTML by the use of vectors related to the loading of modules from different domains.

Because the issue impacts a library, applying the fix won’t eliminate the vulnerability, as all applications written using the vulnerable library need to be rebuilt using the patched version of the SDK.

According to ERPScan, a Cross-site scripting vulnerability in SAP Customer Relationship Management IPC Pricing (CVSS Base Score: 6.1) module deserves attention, as it could allow an attacker to inject a malicious script into a page. The script would have access to cookies, session tokens, and other critical information stored and used for interaction with a web application. Thus, an attacker could learn business-critical information and even get control over this information, or can abuse the flaw for the unauthorized modifying of displayed content.

“It’s been another SAP Notes Day without any critical (Hot News) patch update. Despite it not being a critical month, the high priority notes mentioned above should be treated as soon as possible. […] Almost all bug types are included within this release, despite most of them having a medium priority tag,” Onapsis notes.

Related: SAP Addresses High Severity Vulnerabilities With July 2017 Patches

Related: SAP Releases 18 Security Notes in June 2017 Patch Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.