Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Updates Patch Twenty Vulnerabilities

Germany-based enterprise software maker SAP has addressed a total of twenty vulnerabilities as part of its September 2015 Security Patch Day.

In addition to fixing 20 new flaws, SAP noted that it has also updated five previously released patches. The company rated 16 of the new vulnerabilities as having “high” or “very high” (hot news) severity.

Germany-based enterprise software maker SAP has addressed a total of twenty vulnerabilities as part of its September 2015 Security Patch Day.

In addition to fixing 20 new flaws, SAP noted that it has also updated five previously released patches. The company rated 16 of the new vulnerabilities as having “high” or “very high” (hot news) severity.

Of the total of 25 patches released this week, eight are missing authorization checks, and six are cross-site scripting (XSS) bugs. The rest of the vulnerabilities can be exploited for information disclosure, cross-site request forgery (CSRF), remote code execution, SQL injection, and other types of attacks.

SAP only shares details on the patched security bugs with its customers. However, SAP security solutions providers ERPScan and Onapsis have released some information on the vulnerabilities fixed with the September 2015 updates. It’s worth noting that some of the flaws patched this month have been identified by researchers from these companies.

The most serious vulnerability, with a CVSS score of 9.3, is a buffer overflow affecting SAP HANA Extended Application Services (XS). The flaw, patched with the 2197397 update, can be exploited by an attacker to execute malicious code with the privileges of the targeted application.

“This can lead to taking complete control over an application, denial of service, command execution, and other attacks,” ERPScan said. “In case of command execution, attacker can obtain critical technical and business-related information stored in a vulnerable SAP system or use it for privilege escalation. As for denial of service, terminating the process of a vulnerable component is possible. Nobody will be able to use this service, resulting in a negative impact on business processes, system downtime, and, consequently, business reputation.”

Another update rated “hot news” is 850306, which, according to Onapsis, summarizes several Oracle patches linked to SAP products.

Other serious issues are an OS command execution vulnerability related to a SAP function module, a missing authorization check in SAP Foreign Trade, a SAP NetWeaver Business Client flaw that can lead to information disclosure or a denial-of-service (DoS) condition, and a SQL injection in SAP Batch Processing.

Advertisement. Scroll to continue reading.

Missing authorization continues to be a common issue in SAP products. A report published in 2014 by ERPScan showed that of the 3,000 vulnerabilities patched by SAP since 2001, more than 700 (20 percent) were missing authorization flaws. Of these 700 issues, most affected SAP NetWeaver ABAP.

Last month, SAP released 26 patches, 15 of which were rated as having high severity.

Related Reading: Majority of SAP Attacks Use One of Three Common Techniques

Related Reading: SAP Encryption Issues Pose Serious Risk to Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.