SAP has released a number of patches for its products. The German business application developer fixes three critical vulnerabilities that could lead to authentication bypasses, unauthorized access to files and the leak of confidential data, and introduced patches for several less dangerous errors.
Updated versions of programs are distributed through vendor support channels.“The greatest security risk is CVE-2019-0379, found in one of the modules of the SAP NetWeaver business platform. In the component Process Integration versions 1.0 and 2.0, there is a problem of checking security certificates during authorization“, – say the developers.
An attacker can use two arbitrary pairs of public keys to authenticate and gain access to the system. The bug was assessed as having a critical danger level and 9.3 points on the CVSS scale. The developers patched another critical error in SAP Landscape Management.
The disadvantage allows some security settings to be placed in public journals, which may lead to unauthorized disclosure of this information. The bug is registered as CVE-2019-0380 and rated at 9.1 CVSS points.
Read also: Canonical releases major updates to Linux kernel in Ubuntu
The CVE-2019-0380 vulnerability associated with the three database management products looks a little less dangerous. A binary file allocation error rated at 7.8 CVSS gives an attacker access to private directories.
The bug is present in the following programs:
- SAPIQ version 16.1
- SAPSQL Anywhere version 17.0;
- SAP Dynamic Tiering versions 0 and 2.0.
Several vulnerabilities with 4.3 to 5.4 CVSS scores were closed in the SAP Business Intelligence analytical platform, Financial Consolidation reporting application and B2B Toolkit of SAP NetWeaver. The result of their operation may be cross-site scripting, denial of service and bypass authorization procedures.