Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Updates Patch Twenty Vulnerabilities

Germany-based enterprise software maker SAP has addressed a total of twenty vulnerabilities as part of its September 2015 Security Patch Day.

In addition to fixing 20 new flaws, SAP noted that it has also updated five previously released patches. The company rated 16 of the new vulnerabilities as having “high” or “very high” (hot news) severity.

Germany-based enterprise software maker SAP has addressed a total of twenty vulnerabilities as part of its September 2015 Security Patch Day.

In addition to fixing 20 new flaws, SAP noted that it has also updated five previously released patches. The company rated 16 of the new vulnerabilities as having “high” or “very high” (hot news) severity.

Of the total of 25 patches released this week, eight are missing authorization checks, and six are cross-site scripting (XSS) bugs. The rest of the vulnerabilities can be exploited for information disclosure, cross-site request forgery (CSRF), remote code execution, SQL injection, and other types of attacks.

SAP only shares details on the patched security bugs with its customers. However, SAP security solutions providers ERPScan and Onapsis have released some information on the vulnerabilities fixed with the September 2015 updates. It’s worth noting that some of the flaws patched this month have been identified by researchers from these companies.

The most serious vulnerability, with a CVSS score of 9.3, is a buffer overflow affecting SAP HANA Extended Application Services (XS). The flaw, patched with the 2197397 update, can be exploited by an attacker to execute malicious code with the privileges of the targeted application.

“This can lead to taking complete control over an application, denial of service, command execution, and other attacks,” ERPScan said. “In case of command execution, attacker can obtain critical technical and business-related information stored in a vulnerable SAP system or use it for privilege escalation. As for denial of service, terminating the process of a vulnerable component is possible. Nobody will be able to use this service, resulting in a negative impact on business processes, system downtime, and, consequently, business reputation.”

Another update rated “hot news” is 850306, which, according to Onapsis, summarizes several Oracle patches linked to SAP products.

Other serious issues are an OS command execution vulnerability related to a SAP function module, a missing authorization check in SAP Foreign Trade, a SAP NetWeaver Business Client flaw that can lead to information disclosure or a denial-of-service (DoS) condition, and a SQL injection in SAP Batch Processing.

Missing authorization continues to be a common issue in SAP products. A report published in 2014 by ERPScan showed that of the 3,000 vulnerabilities patched by SAP since 2001, more than 700 (20 percent) were missing authorization flaws. Of these 700 issues, most affected SAP NetWeaver ABAP.

Last month, SAP released 26 patches, 15 of which were rated as having high severity.

Related Reading: Majority of SAP Attacks Use One of Three Common Techniques

Related Reading: SAP Encryption Issues Pose Serious Risk to Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.