SAP Patches 2 Critical Vulnerabilities

Monday, November 14, 2016 @ 04:11 PM gHale

SAP released its November security updates fixing two critical issues that deal with OS command execution vulnerabilities.

The two critical flaws have a CVSS Base Score of 9.1 each. One affects the SAP Report for Terminology Export component while the other is with the SAP Text Conversion component. They could end up exploited to execute OS commands without authorization.

Internet Facing SAP Vulnerability
SAP Patches Vulnerabilities
Ancient SAP Hole Affects More Than Thought
SAP Mfg Industry Hole Patched

SAP also released two high severity and six medium risk security notes, said Udit Singh, of the patch day governance, product security response team, SAP, in a blog post.

An attacker could leverage the OS command execution vulnerabilities to execute operating system commands without authorization. The commands will run with the same privileges as the service that executed the command and the attacker could access arbitrary files and directories located in a SAP server file system, such as application source code, configuration, and critical system files.

Other critical flaws patched by SAP this month include a Denial of Service vulnerability in SAP Message Server (CVSS Base Score: 7.5) and an Information Disclosure vulnerability in SAP Software Update Manager component (CVSS Base Score: 7.5). The former can be abused to terminate a process of a vulnerable component, while the latter can end up leveraged to reveal additional information about the affected system.

Disclosed by ERPScan researchers, the Denial of Service vulnerability in SAP Message Server HTTP could allow an attacker to prevent legitimate users from accessing the service by crashing it. The Message Server, the researchers said, can communicate between elements of a Java cluster and should not be accessible from the Internet.

Along those lines, ERPScan said 3783 SAP Message Servers HTTP are currently available online, most of them located in the United States. India is the second most affected country, followed by China, Germany, and Singapore.

Other vulnerabilities disclosed by ERPScan researchers and patched in SAP Security Patch Day for this month includes an information disclosure vulnerability in SAP System Landscape Directory (CVSS Base Score: 5.3), and an SQL Injection in SAP Hybris E-commerce Suite VirtualJDBC.

Overall, SAP patched six missing authorization check flaws, three cross-site scripting bugs, two OS command execution, two information disclosure, one DoS, one implementation flaw, and one clickjacking vulnerability.

Leave a Reply

You must be logged in to post a comment.