Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

SAP Resolves Multiple Information Disclosure Flaws

SAP on Tuesday released its set of security patches for December 2016, which include 20 Patch Day Security Notes, along with updates for two previously released notes.

SAP on Tuesday released its set of security patches for December 2016, which include 20 Patch Day Security Notes, along with updates for two previously released notes.

Information Disclosure issues represented the largest number of vulnerabilities addressed this month, followed by Missing Authorization Checks. Cross-Site Scripting flaws were the third most common in this month’s security fixes, but implementation issues, authentication bypasses, directory traversal, clickjacking, and other types of vulnerabilities were also addressed, SAP’s advisory reveals.

The 22 SAP Security Patch Day Notes released this month were accompanied by 9 Support Package Notes for a total of 31 vulnerabilities resolved across numerous SAP products, ERPScan, a company that specializes in securing SAP products, explains.

Of the total December 2016 SAP Security Notes, 4 have a High priority rating, the most important of them being a deserialization vulnerability in SAP BI Platform (CVSS Base Score: 7.3). By exploiting this flaw, an attacker could execute commands remotely, without authorization, and the commands would run with the same privileges as the service that executed the command.

“An attacker can access to arbitrary files and directories located in a SAP server filesystem including application source code, configuration and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system,” ERPScan said.

Another High priority rating issue resolved this month is an Information Disclosure vulnerability in SAP Business Objects Explorer (CVSS Base Score: 7.1), which could be leveraged to reveal additional information (system data, debugging information, etc.).

SAP also resolved an SQL injection vulnerability in SAP Universal Description, Discovery and Integration component (CVSS Base Score: 6.8), which could allow an attacker read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable.

Also patched was a Directory traversal vulnerability in SAP UserAdmin Application (CVSS Base Score: 6.8) that could provide an attacker with access to arbitrary files and directories located in the SAP server filesystem. The issue allows reading files that exist out of the Java Virtual Machine, and 318 services exposed online were found worldwide, ERPScan reveals.

Three of the vulnerabilities resolved this month affect 2 SAP for Defense Forces & Public Security components, namely The Defense Forces & Public Security and SAP Mobile Defense & Security. The two are susceptible to a Missing Authorization Check, an issue that could allow an attacker to read, modify or delete restricted data.

“As we deal with the defense industry, the information can be critical in terms of International security. The effect of even such low-impact vulnerability could be devastating when it comes to armed forces,” ERPScan says.

Throughout 2016, SAP released 315 security patches, a number slightly higher (5%) compared to the previous year, but only 9 of them were Hot news. Most of the flaws (215) were Medium priority, with the High priority ones coming in on the second position (74), and Low priority on the third (17).

The average number of monthly SAP Security Notes for this year is approximately 26, which the most common vulnerability types are XSS (119), Missing Authorization Check (80), and different kinds of implementation flaws (51). SAP also resolved a total of 26 clickjacking vulnerabilities this year.

Related: Flaw in PwC Security Tool Exposes SAP Systems to Attacks

Related: SAP Patches Serious Flaws in Database Management Product

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...