Patch Day: SAP Fills Holes

Monday, October 19, 2015 @ 07:10 PM gHale

SAP released patches to address a series of high severity vulnerabilities.

As part of its October 2015 Security Patch Day, the enterprise software maker released 29 patches and support packages. There are 17 new security notes and four updates to previous notes, SAP officials said.

Microsoft Patches Windows, IE, Edge, Office
OWA Server Attacked
Unsupported ICS: Not an Easy Upgrade
Age of New and Different

Of these 21 notes, one rated as critical and 15 came in at high priority. The security updates resolve missing authorization checks, information disclosure issues, cross-site scripting (XSS) flaws, buffer overflows, a missing authentication check, and a SQL injection vulnerability.

The most severe of the patched issues, with a CVSS score of 9.3, are a couple of vulnerabilities affecting the SAP HANA database management system. SAP patched the holes with the release of the 2197428 security note.

One of these bugs, which could lead to remote code execution, ended up found by SAP security solutions provider ERPScan.

“An attacker can use Remote Command Execution to run commands remotely without authorization, under the privileges of the service that executes them,” ERPScan said in blog post. “The attacker can access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and critical system files. It allows the attacker to obtain critical technical and business-related information stored in the vulnerable SAP system.”

The second issue patched with the 2197428 note, discovered by SAP security provider Onapsis, is a buffer overflow vulnerability in the SQL interface of SAP Hana Extended Application Services.

The list of high priority issues patched by SAP includes an input validation vulnerability affecting the Service Data Control Center (SDCC) Download Function Module, a weakness exploitable via the RFC gateway against NetWeaver Search and Classification (TREX) or NetWeaver Business Warehouse Accelerator (BWA), and a remote code execution bug in 3D Visual Enterprise components.