SAP Security Updates Patch 4 New Vulnerabilities

Enterprise software maker SAP on Tuesday released a new set of security updates for its products in its SAP Security Patch Day for January 2016.

The company has addressed a total of 23 vulnerabilities in SAP products (3 of which are Support Package Security notes), including 13 security flaws that have a high priority rating. As usual, SAP included in the security notes patches that have been delivered before Tuesday, as well as patches for newly discovered vulnerabilities.

Five of the vulnerabilities were cross-site scripting (XSS), making this the most common issue in SAP products. According to the security notes, SAP also patched 4 information disclosure flaws, 2 denial of service vulnerabilities, 2 missing authorization check issues, one mission authentication check issue, and 5 other vulnerabilities.

ERPScan, which specializes in securing SAP and Oracle business software, explains in a blog post that the 3 support package security notes included 2 missing authorization check issues and one Cross-site request forgery (XSRF) vulnerability. 

These include two Log Injection and Denial of service vulnerabilities in SAP HANA Extended Application Services Classic (XS), with a CVSS base score of 5.0; a cross-site scripting vulnerability in SAP RWB, with a CVSS score of 4.3; a cross-site scripting vulnerability in SAP PMI, with a CVSS score of 4.3, and an information disclosure vulnerability in SAP User Management Engine, with a CVSS score of 3.5.

ERPScan also told SecurityWeek that, of the total number of patches released as part of the January 2016 SAP Security Patch Day, only 4 are new, while the rest are updates for existing patches.

10 of the patches included in the new SAP security notes are for JAVA (44 percent of the total), five are for Advanced Business Application Programming, or ABAP (22 percent), 4 are for HANA (17 percent), one for Oracle (4 percent), one for the SAP Client (4 percent), and 2 for other products (9 percent). None of the patches was for vulnerabilities considered “hot news.”

The most critical of the patches included in the January 2016 SAP Security Patch Day is for an Implementation flaw vulnerability in SAP on Oracle database that has a CVSS base score of 6.4 and which could cause unpredictable behavior of a system, affecting its stability and safety.

Another noteworthy issue is an OS command execution vulnerability in SAP System Administration Assistant that has a CVSS base score of 6.0 and which could allow an attacker run arbitrary commands on the target OS with the same privileges as the service that executes them. There is also an Encryption issues vulnerability in SAP HANA Database with a CVSS base score of 5.8, which affects the communication encryption feature in SAP HANA multi-tenant database container.

In December 2015, SAP patched 19 new vulnerabilities. In its Patch Day Security Notes for December 2015, the company said three were rated as “hot news” and 16 were classified as high severity. In November, security researcher Ashar Javed revealed a reflected XSS flaw on a website used by SAP to list jobs available within the company and said that a total of around one hundred sites were affected by the issue.