News

SAP SE Releases 11 Vulnerability Patch Kit

SAP SE has released a patch set that addresses 11 vulnerabilities in nine products. The severity of one of the new problems is rated as high, the rest – as moderate.

The developers have also updated critical vulnerability bulletins in the Business Client and SolMan Diagnostics Agent programs.

The business client is based on Chromium, and SAP adjusts the initial patch with each new release of this browser.

“The ability to inject commands into the Diagnostics Agent application (CVE-2019-0330) was first closed in July, but further exploration of this hole generated several more attack scenarios, and the patch was fixed every time”, – SAP SE reports in the update bulletin.

The latest update to the newsletter says that the new version of the patch is the most comprehensive.

Related Articles

Read also: Adobe patched 11 vulnerabilities in its web design tools

Of the recently discovered vulnerabilities, the most dangerous is CVE-2019-0396 (7.1 points on the CVSS scale). The reason for its appearance is incorrect filtering of the content of XML documents in the web interface of the BusinessObjects Business Intelligence (BI) administration platform.

“Such an error can lead to the disclosure of important information or a complete failure of the system”, – reported Onapsis security researchers that discovered the vulnerability.

The remaining problems received from 4.3 to 6.5 CVSS points. In the breakdown by types of vulnerabilities, the list of SAP can be represented as following:

  1. crossite scripting in BusinessObjects BI and the SAP Enable Now training platform;
  2. lack of access control in ERP Sales, SAP S / 4HANA Sales and Treasury and Risk Management applications;
  3. privilege escalation in the NetWeaver AS Java application server;
  4. implementation of SQL-code in the quality management program Quality Management;
  5. content spoofing in the HTTP request handler of the commercial JavaScript framework UI5;
  6. disclosure of information in the distributed data management software Data Hub and the NetWeaver AS Java server (in the latter case, according to Onapsis, the problem is caused by the lack of access control at the eCATT service level).
Onapsis experts also mention the high-risk vulnerability patched in Internet Pricing and Configurator (IPC), a feature found in many SAP applications, but it is not included in the new fix list.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

Back to top button