SAP on Tuesday released its set of security patches for December 2016, which include 20 Patch Day Security Notes, along with updates for two previously released notes.
Information Disclosure issues represented the largest number of vulnerabilities addressed this month, followed by Missing Authorization Checks. Cross-Site Scripting flaws were the third most common in this month’s security fixes, but implementation issues, authentication bypasses, directory traversal, clickjacking, and other types of vulnerabilities were also addressed, SAP’s advisory reveals.
The 22 SAP Security Patch Day Notes released this month were accompanied by 9 Support Package Notes for a total of 31 vulnerabilities resolved across numerous SAP products, ERPScan, a company that specializes in securing SAP products, explains.
Of the total December 2016 SAP Security Notes, 4 have a High priority rating, the most important of them being a deserialization vulnerability in SAP BI Platform (CVSS Base Score: 7.3). By exploiting this flaw, an attacker could execute commands remotely, without authorization, and the commands would run with the same privileges as the service that executed the command.
“An attacker can access to arbitrary files and directories located in a SAP server filesystem including application source code, configuration and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system,” ERPScan said.
Another High priority rating issue resolved this month is an Information Disclosure vulnerability in SAP Business Objects Explorer (CVSS Base Score: 7.1), which could be leveraged to reveal additional information (system data, debugging information, etc.).
SAP also resolved an SQL injection vulnerability in SAP Universal Description, Discovery and Integration component (CVSS Base Score: 6.8), which could allow an attacker read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable.
Also patched was a Directory traversal vulnerability in SAP UserAdmin Application (CVSS Base Score: 6.8) that could provide an attacker with access to arbitrary files and directories located in the SAP server filesystem. The issue allows reading files that exist out of the Java Virtual Machine, and 318 services exposed online were found worldwide, ERPScan reveals.
Three of the vulnerabilities resolved this month affect 2 SAP for Defense Forces & Public Security components, namely The Defense Forces & Public Security and SAP Mobile Defense & Security. The two are susceptible to a Missing Authorization Check, an issue that could allow an attacker to read, modify or delete restricted data.
“As we deal with the defense industry, the information can be critical in terms of International security. The effect of even such low-impact vulnerability could be devastating when it comes to armed forces,” ERPScan says.
Throughout 2016, SAP released 315 security patches, a number slightly higher (5%) compared to the previous year, but only 9 of them were Hot news. Most of the flaws (215) were Medium priority, with the High priority ones coming in on the second position (74), and Low priority on the third (17).
The average number of monthly SAP Security Notes for this year is approximately 26, which the most common vulnerability types are XSS (119), Missing Authorization Check (80), and different kinds of implementation flaws (51). SAP also resolved a total of 26 clickjacking vulnerabilities this year.