SAP Patches 22 Vulnerabilities

Tuesday, August 18, 2015 @ 11:08 AM gHale

Enterprise software developer SAP released patches to fix 22 vulnerabilities as part of its August 2015 Security Patch Day.

In addition to providing fixes for 22 new vulnerabilities, SAP updated four previous patches. A majority of the fixed issues are cross-site scripting (XSS) and information disclosure flaws, the company said. In addition, 15 of the 26 vulnerabilities are in the “high severity” classification.

Sensitive Info Disclosure Hole in NetWeaver
SCADA Hack Uncovered
Security Provider Hacked
Utility Attacked

SAP has not made public any details on the patched flaws, but one company that specializes in protecting SAP and Oracle business-critical ERP systems, ERPScan, shared information on the most serious vulnerabilities.

ERPScan’s own researchers identified three of the SAP product vulnerabilities patched. The list includes XML External Entity (XXE) bugs in SAP Mobile Platform 2.3 and SAP NetWeaver Portal, and an XSS in SAP Afaria 7.

According to the security firm, there are four critical vulnerabilities that SAP customers should patch as soon as possible.

One of these critical issues, with a CVSS score of 8.5, is a remote code execution flaw in SAP ST-P that can end up exploited by an attacker to compromise SAP servers and access the information stored on them. This can including source code, configuration files, critical system files, and business-related information, ERPScan said.

Another serious vulnerability affects the SAP NetWeaver AFP Servlet. The security hole, known as Reflected File Download (RFD), can end up exploited to push malware onto victims’ devices by tricking them into clicking on a specially crafted link.

ERPScan warns SAP HANA users about two flaws. One of them can terminate a process, which can lead to service disruptions, while the other bug is from an incorrect system configuration that can allow an attacker to access internal HANA services without authentication.