SAP Patches Vulnerabilities

Friday, October 14, 2016 @ 05:10 PM gHale

SAP’s October patch release fixes 48 vulnerabilities in its products.

Among the fixes are 25 implementation flaws and 12 missing authorization checks.

Ancient SAP Hole Affects More Than Thought
SAP Mfg Industry Hole Patched
Security: Ease the Pain …
Unsupported ICS: Not an Easy Upgrade

SAP released 11 Patch Day Security Notes, along with an update to a previously issued security note. However, the company also released 31 Support Package Security Notes, meant to improve “RFC security for CRM Solutions.”

Of the 48 Security Notes, only three rated as high priority, while the remaining 45 received a medium rating. The highest CVSS Base Score was 7.5. Implementation flaw was the most common vulnerability type this month, followed by missing authorization check. Clickjacking, cross-site request forgery, cross-site scripting (XSS), SQL injection, and denial of service (DoS) flaws also ended up patched.

The most important vulnerabilities resolved this month include a DoS vulnerability in SAP ASE (CVSS Base Score of 7.5), a missing authentication check vulnerability in SAP NetWeaver AS JAVA P4 Servercore component (CVSS Base Score of 7.3), an SQL injection vulnerability in SAP ST-PI component (CVSS Base Score of 6.3), a cross-site scripting vulnerability in SAP MESSAGING SYSTEM SERVICE component (CVSS Base Score of 6.3), and a cross-site request forgery vulnerability in SAP BusinessObjects (CVSS Base Score of 6.1).