Chemical Safety Incidents
SAP Patch Day Brings 20 Fixes
Friday, September 11, 2015 @ 03:09 PM gHale
SAP, the German-based enterprise software maker, patched 20 vulnerabilities as part of its September security fixes.
In addition to fixing 20 the flaws, SAP also updated five previously released patches. The company rated 16 of the new vulnerabilities as having “high” or “very high” (hot news) severity.
Of the 25 patches released this week, eight are missing authorization checks, and six are cross-site scripting (XSS) bugs. The rest of the vulnerabilities can end up exploited for information disclosure, cross-site request forgery (CSRF), remote code execution, SQL injection, and other types of attacks.
SAP only shares details on the patched security bugs with its customers.
The most serious vulnerability, with a CVSS score of 9.3, is a buffer overflow affecting SAP HANA Extended Application Services (XS). An attacker can leverage the flaw, patched with the 2197397 update, to execute malicious code with the privileges of the targeted application.
“This can lead to taking complete control over an application, denial of service, command execution, and other attacks,” said SAP solution provider, ERPScan. “In case of command execution, an attacker can obtain critical technical and business-related information stored in a vulnerable SAP system or use it for privilege escalation. As for denial of service, terminating the process of a vulnerable component is possible. Nobody will be able to use this service, resulting in a negative impact on business processes, system downtime, and, consequently, business reputation.”
Another update rated very high or “hot news” is 850306, which, according to another SAP solution provider, Onapsis, is several Oracle patches linked to SAP products.
Other serious issues are an OS command execution vulnerability related to a SAP function module, a missing authorization check in SAP Foreign Trade, a SAP NetWeaver Business Client flaw that can lead to information disclosure or a denial-of-service (DoS) condition, and a SQL injection in SAP Batch Processing.