CONFERENCE Watch Now: Threat Detection & Incident Response (TDIR) Summit - Watch Event On-Demand
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Security Updates Patch 4 New Vulnerabilities

Enterprise software maker SAP on Tuesday released a new set of security updates for its products in its SAP Security Patch Day for January 2016.

Enterprise software maker SAP on Tuesday released a new set of security updates for its products in its SAP Security Patch Day for January 2016.

The company has addressed a total of 23 vulnerabilities in SAP products (3 of which are Support Package Security notes), including 13 security flaws that have a high priority rating. As usual, SAP included in the security notes patches that have been delivered before Tuesday, as well as patches for newly discovered vulnerabilities.

Five of the vulnerabilities were cross-site scripting (XSS), making this the most common issue in SAP products. According to the security notes, SAP also patched 4 information disclosure flaws, 2 denial of service vulnerabilities, 2 missing authorization check issues, one mission authentication check issue, and 5 other vulnerabilities.

ERPScan, which specializes in securing SAP and Oracle business software, explains in a blog post that the 3 support package security notes included 2 missing authorization check issues and one Cross-site request forgery (XSRF) vulnerability. 

These include two Log Injection and Denial of service vulnerabilities in SAP HANA Extended Application Services Classic (XS), with a CVSS base score of 5.0; a cross-site scripting vulnerability in SAP RWB, with a CVSS score of 4.3; a cross-site scripting vulnerability in SAP PMI, with a CVSS score of 4.3, and an information disclosure vulnerability in SAP User Management Engine, with a CVSS score of 3.5.

ERPScan also told SecurityWeek that, of the total number of patches released as part of the January 2016 SAP Security Patch Day, only 4 are new, while the rest are updates for existing patches.

10 of the patches included in the new SAP security notes are for JAVA (44 percent of the total), five are for Advanced Business Application Programming, or ABAP (22 percent), 4 are for HANA (17 percent), one for Oracle (4 percent), one for the SAP Client (4 percent), and 2 for other products (9 percent). None of the patches was for vulnerabilities considered “hot news.”

The most critical of the patches included in the January 2016 SAP Security Patch Day is for an Implementation flaw vulnerability in SAP on Oracle database that has a CVSS base score of 6.4 and which could cause unpredictable behavior of a system, affecting its stability and safety.

Advertisement. Scroll to continue reading.

Another noteworthy issue is an OS command execution vulnerability in SAP System Administration Assistant that has a CVSS base score of 6.0 and which could allow an attacker run arbitrary commands on the target OS with the same privileges as the service that executes them. There is also an Encryption issues vulnerability in SAP HANA Database with a CVSS base score of 5.8, which affects the communication encryption feature in SAP HANA multi-tenant database container.

In December 2015, SAP patched 19 new vulnerabilities. In its Patch Day Security Notes for December 2015, the company said three were rated as “hot news” and 16 were classified as high severity. In November, security researcher Ashar Javed revealed a reflected XSS flaw on a website used by SAP to list jobs available within the company and said that a total of around one hundred sites were affected by the issue.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.