Germany-based enterprise software maker SAP has released patches for a total of 22 vulnerabilities as part of its August 2015 Security Patch Day.
In addition to providing fixes for 22 new vulnerabilities, SAP updated four previously released patches. According to the company, a majority of the fixed issues are cross-site scripting (XSS) and information disclosure flaws. SAP says 15 of the 26 vulnerabilities have been classified “high severity”.
SAP has not made public any details on the patched flaws, but ERPScan, a company that specializes in protecting SAP and Oracle business-critical ERP systems, has shared some information on the most serious vulnerabilities.
ERPScan’s own researchers identified three of the SAP product vulnerabilities patched this month. The list includes XML External Entity (XXE) bugs in SAP Mobile Platform 2.3 and SAP NetWeaver Portal, and an XSS in SAP Afaria 7.
According to the security firm, there are four critical vulnerabilities that SAP customers should patch as soon as possible.
One of these critical issues, with a CVSS score of 8.5, is a remote code execution flaw in SAP ST-P that can be exploited by an attacker to compromise SAP servers and access the information stored on them. This can including source code, configuration files, critical system files, and business-related information, ERPScan said.
Another serious vulnerability affects the SAP NetWeaver AFP Servlet. The security hole, known as Reflected File Download (RFD), can be exploited to push malware onto victims’ devices by tricking them into clicking on a specially crafted link.
ERPScan warns SAP HANA users about two flaws. One of them can be exploited to terminate a process, which can lead to service disruptions, while the other bug is related to an incorrect system configuration that can allow an attacker to access internal HANA services without authentication.
These vulnerabilities have been patched by SAP with the 2037304, 2169391, 2175928 and 2165583 security notes.
SAP vulnerability advisories have also been published this week by business-critical application security firm Onapsis. The company released advisories detailing three SAP Mobile Platform DataVault flaws reported to SAP in November 2014 and addressed in April 2015.
In June, ERPScan warned that the use of static keys and other encryption issues expose many SAP customers to cyberattacks.
Related Reading: Majority of SAP Attacks Use One of Three Common Techniques
Related Reading: SAP Fixes Remotely Exploitable Vulnerabilities Affecting Multiple Products
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
Latest News
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Zoom Expands Privacy Options for European Customers
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Apple Unveils Upcoming Privacy and Security Features
