Connect with us

Hi, what are you looking for?



SAP Security Updates Patch 22 Vulnerabilities

Germany-based enterprise software maker SAP has released patches for a total of 22 vulnerabilities as part of its August 2015 Security Patch Day.

Germany-based enterprise software maker SAP has released patches for a total of 22 vulnerabilities as part of its August 2015 Security Patch Day.

In addition to providing fixes for 22 new vulnerabilities, SAP updated four previously released patches. According to the company, a majority of the fixed issues are cross-site scripting (XSS) and information disclosure flaws. SAP says 15 of the 26 vulnerabilities have been classified “high severity”.

SAP has not made public any details on the patched flaws, but ERPScan, a company that specializes in protecting SAP and Oracle business-critical ERP systems, has shared some information on the most serious vulnerabilities.

ERPScan’s own researchers identified three of the SAP product vulnerabilities patched this month. The list includes XML External Entity (XXE) bugs in SAP Mobile Platform 2.3 and SAP NetWeaver Portal, and an XSS in SAP Afaria 7.

According to the security firm, there are four critical vulnerabilities that SAP customers should patch as soon as possible.

One of these critical issues, with a CVSS score of 8.5, is a remote code execution flaw in SAP ST-P that can be exploited by an attacker to compromise SAP servers and access the information stored on them. This can including source code, configuration files, critical system files, and business-related information, ERPScan said.

Another serious vulnerability affects the SAP NetWeaver AFP Servlet. The security hole, known as Reflected File Download (RFD), can be exploited to push malware onto victims’ devices by tricking them into clicking on a specially crafted link.

Advertisement. Scroll to continue reading.

ERPScan warns SAP HANA users about two flaws. One of them can be exploited to terminate a process, which can lead to service disruptions, while the other bug is related to an incorrect system configuration that can allow an attacker to access internal HANA services without authentication.

These vulnerabilities have been patched by SAP with the 2037304, 2169391, 2175928 and 2165583 security notes.

SAP vulnerability advisories have also been published this week by business-critical application security firm Onapsis. The company released advisories detailing three SAP Mobile Platform DataVault flaws reported to SAP in November 2014 and addressed in April 2015.

In June, ERPScan warned that the use of static keys and other encryption issues expose many SAP customers to cyberattacks.

Related Reading: Majority of SAP Attacks Use One of Three Common Techniques

Related Reading: SAP Fixes Remotely Exploitable Vulnerabilities Affecting Multiple Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.