SAP Service Pack fixes three critical vulnerabilities

SAP has released a number of patches for its products. The German business application developer fixes three critical vulnerabilities that could lead to authentication bypasses, unauthorized access to files and the leak of confidential data, and introduced patches for several less dangerous errors.

Updated versions of programs are distributed through vendor support channels.

“The greatest security risk is CVE-2019-0379, found in one of the modules of the SAP NetWeaver business platform. In the component Process Integration versions 1.0 and 2.0, there is a problem of checking security certificates during authorization“, – say the developers.

An attacker can use two arbitrary pairs of public keys to authenticate and gain access to the system. The bug was assessed as having a critical danger level and 9.3 points on the CVSS scale. The developers patched another critical error in SAP Landscape Management.

The disadvantage allows some security settings to be placed in public journals, which may lead to unauthorized disclosure of this information. The bug is registered as CVE-2019-0380 and rated at 9.1 CVSS points.

Read also: Canonical releases major updates to Linux kernel in Ubuntu

The CVE-2019-0380 vulnerability associated with the three database management products looks a little less dangerous. A binary file allocation error rated at 7.8 CVSS gives an attacker access to private directories.

The bug is present in the following programs:

  1. SAPIQ version 16.1
  2. SAPSQL Anywhere version 17.0;
  3. SAP Dynamic Tiering versions 0 and 2.0.

Several vulnerabilities with 4.3 to 5.4 CVSS scores were closed in the SAP Business Intelligence analytical platform, Financial Consolidation reporting application and B2B Toolkit of SAP NetWeaver. The result of their operation may be cross-site scripting, denial of service and bypass authorization procedures.

The previous SAP security update package included 14 patches, four of which addressed critical vulnerabilities. Updates were received by the Windows version of the Solution Manager platform (SolMan), the HANA Extended Application Services application, the Business Client browser and other vendor products.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published.


Back to top button