SAP Patches Highest Number of Critical Flaws Since 2014
SAP released Security Patch Day updates for August 2019 that address three critical vulnerabilities in the company’s products.
SAP has released the Security Patch Day for August, this month the company addresses several flaws, including three critical vulnerabilities (Hot News), the highest number of critical flaws since 2014. The August’s Patch Day includes a total of 23 SAP Security Notes.
“On 13th of August 2019, SAP Security Patch Day saw the release of 12 Security Notes. There is 1 update to previously released Patch Day Security Notes.” reads the advisory published by SAP.
Experts from Onapsis noticed that this SAP Security Patch Day has the highest number of critical notes in 2019, tree HotNews and two High Priority Notes released, plus one re-released HotNews note
SAP released 12 Security Notes to address flaws in NetWeaver, Business Client, Commerce Cloud, HANA, ABAP, BusinessObjects, Enable Now, and Gateway products.
One of the Hot News is an update to a Security Note initially released in April 2018 for Business Client, the other Hot News are:
- A remote code execution flaw in the NetWeaver UDDI Server tracked as CVE-2019-0351. This issue has a CVSS score of 9,9, the highest one assigned this year, it could be exploited by an attacker to inject code into working memory.
- Some code injection vulnerabilities in Commerce Cloud tracked as CVE-2019-0344.
- A server-side request forgery (SSRF) vulnerability in the NetWeaver Application Server for Java tracked as CVE-2019-0345 that could be exploited by an attacker to gain admin access to the Management Console for SAP Java systems. The issue was discovered by Onapsis researchers.
“For the first time this year, SAP has published a Security Note with a CVSS of 9.9. This top scorer, SAP Security Note #2800779, is titled “Remote Code Execution (RCE) in SAP Netweaver UDDI Server (Services Registry)” and warns that attackers can take advantage of a buffer overflow vulnerability to inject code into the working memory.” reads the analysis published by Onapsis.”Because of the low complexity of this attack scenario in conjunction with the wide range of possible damages (e.g. information disclosure, data manipulation and destruction) up to the complete control of the product, this Note is considered as the most critical one to be released by SAP in 2019. “
SAP Security Patch Day for August 2019, also addressed two “high severity ” issues, a DoSvulnerability in SAP HANA and a missing authorization check issue in a SAP kernel package.
“Considering the number of four HotNews and two High Priority Security Notes and taking into account the wide range of attack vectors exploitable in various SAP platforms, the August Patch Day demonstrates impressively the importance of keeping your systems up to date,” concludes Onapsis.
To read the original article: