Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Security Updates Patch 19 New Flaws

Since it’s the second Tuesday of the month, enterprise software maker SAP has released its Patch Day Security Notes for December 2015.

The company has addressed a total of 26 issues, including 19 new vulnerabilities and seven updates to previous patches. Of the 26 vulnerabilities, three have been rated “hot news” and 16 have been classified as “high” severity.

Since it’s the second Tuesday of the month, enterprise software maker SAP has released its Patch Day Security Notes for December 2015.

The company has addressed a total of 26 issues, including 19 new vulnerabilities and seven updates to previous patches. Of the 26 vulnerabilities, three have been rated “hot news” and 16 have been classified as “high” severity.

The patches fix four cross-site scripting (XSS), three information disclosure, four missing authorization and authentication check, and two denial-of-service (DoS) vulnerabilities. Remote code execution, hardcoded credentials, SQL injection, cross-domain redirection, and cross-site request forgery (CSRF) issues — one of each — have also been resolved.

SAP patches

According to ERPScan, a company that specializes in securing SAP and Oracle business-critical software, the most urgent patches based on their CVSS score are for previously released updates. These issues include an OS command execution vulnerability in NetWeaver Search and Classification (TREX) and NetWeaver Business Warehouse Accelerator (BWA), a DoS flaw in BusinessObjects BI, a remote command execution bug in 3D Visual Enterprise Author, Generator and Viewer, and an incorrect configuration issue in HANA.

Patches for a couple of medium severity issues reported by ERPScan, an authentication bypass in SAP Mobile Platform and an implementation flaw in SAP LogViewer, have also been updated.

Eight of the patched vulnerabilities fall under the “other” category, which experts say is not unusual for complex business applications like SAP.

“Configuration and other unusual issues in SAP are 5 times more common than in traditional products, thus a significant part of security measures falls on shoulders of administrators,” ERPScan explained in a blog post.

In September, ERPScan reported finding a serious vulnerability in SAP Afaria, a mobile device management (MDM) solution used by 6,300 enterprises to manage 130 million mobile devices. The weakness could have been leveraged by hackers to send out malicious administrative messages designed to lock or wipe the mobile devices used by a company’s employees.

Related Reading: Serious Vulnerabilities Patched in SAP Products

Related Reading: Flaw in SAP Firm’s XSS Filter Exposed Many Sites to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.