Vulnerabilities

SAP Security Updates Patch 19 New Flaws

Since it’s the second Tuesday of the month, enterprise software maker SAP has released its Patch Day Security Notes for December 2015.

The company has addressed a total of 26 issues, including 19 new vulnerabilities and seven updates to previous patches. Of the 26 vulnerabilities, three have been rated “hot news” and 16 have been classified as “high” severity.

Eduard Kovacs

December 8, 2015

Since it’s the second Tuesday of the month, enterprise software maker SAP has released its Patch Day Security Notes for December 2015.

The patches fix four cross-site scripting (XSS), three information disclosure, four missing authorization and authentication check, and two denial-of-service (DoS) vulnerabilities. Remote code execution, hardcoded credentials, SQL injection, cross-domain redirection, and cross-site request forgery (CSRF) issues — one of each — have also been resolved.

SAP patches

According to ERPScan, a company that specializes in securing SAP and Oracle business-critical software, the most urgent patches based on their CVSS score are for previously released updates. These issues include an OS command execution vulnerability in NetWeaver Search and Classification (TREX) and NetWeaver Business Warehouse Accelerator (BWA), a DoS flaw in BusinessObjects BI, a remote command execution bug in 3D Visual Enterprise Author, Generator and Viewer, and an incorrect configuration issue in HANA.

Patches for a couple of medium severity issues reported by ERPScan, an authentication bypass in SAP Mobile Platform and an implementation flaw in SAP LogViewer, have also been updated.

Eight of the patched vulnerabilities fall under the “other” category, which experts say is not unusual for complex business applications like SAP.

“Configuration and other unusual issues in SAP are 5 times more common than in traditional products, thus a significant part of security measures falls on shoulders of administrators,” ERPScan explained in a blog post.

In September, ERPScan reported finding a serious vulnerability in SAP Afaria, a mobile device management (MDM) solution used by 6,300 enterprises to manage 130 million mobile devices. The weakness could have been leveraged by hackers to send out malicious administrative messages designed to lock or wipe the mobile devices used by a company’s employees.

Related Reading: Serious Vulnerabilities Patched in SAP Products

Written By Eduard Kovacs

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Latest News

Click to comment

Mapping Threat Intelligence to the NIST Compliance Framework Part 2

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Landon Winkelvoss

Password Dependency: How to Break the Cycle

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the password dependency cycle. But how can this be done?

Torsten George

Why CISOs Make Great Board Members

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make for successful board members.

Galina Antova

A Change in Mindset: From a Threat-based to Risk-based Approach to Security

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Marie Hattar