Security Experts:

Serious Vulnerabilities Patched in SAP Products

Enterprise software maker SAP has released patches to address a series of high severity vulnerabilities affecting various products.

As part of its October 2015 Security Patch Day, SAP released a total of 29 patches and support packages. According to SAP, there are 17 new security notes and four updates to previous notes.

Of these 21 notes, one has been rated critical and 15 have been classified as having high priority. The security updates resolve missing authorization checks, information disclosure issues, cross-site scripting (XSS) flaws, buffer overflows, a missing authentication check, and a SQL injection vulnerability.

The most severe of the patched issues, with a CVSS score of 9.3, are a couple of vulnerabilities affecting the SAP HANA database management system. The flaws were patched by SAP with the release of the 2197428 security note.

One of these bugs, which could lead to remote code execution, was discovered by SAP security solutions provider ERPScan. 

“An attacker can use Remote Command Execution to run commands remotely without authorization, under the privileges of the service that executes them,” ERPScan said in an advisory. “The attacker can access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and critical system files. It allows the attacker to obtain critical technical and business-related information stored in the vulnerable SAP system.”

The second issue patched with the 2197428 note, discovered by SAP security provider Onapsis, is a buffer overflow vulnerability in the SQL interface of SAP Hana Extended Application Services.

The list of high priority issues patched by SAP includes an input validation vulnerability affecting the Service Data Control Center (SDCC) Download Function Module, a weakness that can be exploited via the RFC gateway against NetWeaver Search and Classification (TREX) or NetWeaver Business Warehouse Accelerator (BWA), and a remote code execution bug in 3D Visual Enterprise components.

An advisory published by Onapsis also summarizes other high severity issues patched by SAP with the October updates, including information disclosure related to NetWeaver Application Server Java, a log injection flaw affecting the HANA audit log, a directory traversal in a component of ABAP, and a validation failure issue is the Internet Communication Framework.

Missing authorization checks continue to be the most common flaws. A report published last year by ERPScan showed that of the 3,000 vulnerabilities patched by SAP since 2001, roughly 20 percent were in this category.

*Updated to clarify that the 2197428 note patches two different vulnerabilities. An earlier version of the article incorrectly stated that both ERPScan and Onapsis reported the same flaw.

Related: SAP Updates Patch Twenty Vulnerabilities

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.