Enterprise software maker SAP has released patches to address a series of high severity vulnerabilities affecting various products.
As part of its October 2015 Security Patch Day, SAP released a total of 29 patches and support packages. According to SAP, there are 17 new security notes and four updates to previous notes.
Of these 21 notes, one has been rated critical and 15 have been classified as having high priority. The security updates resolve missing authorization checks, information disclosure issues, cross-site scripting (XSS) flaws, buffer overflows, a missing authentication check, and a SQL injection vulnerability.
The most severe of the patched issues, with a CVSS score of 9.3, is a remote command execution vulnerability affecting the SAP HANA database management system. The flaw was patched by SAP with the release of the 2197428 security note.
“An attacker can use Remote Command Execution to run commands remotely without authorization, under the privileges of the service that executes them,” SAP security solutions provider ERPScan said in an advisory describing the bug. “The attacker can access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and critical system files. It allows the attacker to obtain critical technical and business-related information stored in the vulnerable SAP system.”
Interestingly, both ERPScan and SAP security provider Onapsis have taken credit for reporting the flaw fixed with the 2197428 patch. Onapsis has described the issue as a buffer overflow vulnerability in the SQL interface of SAP Hana Extended Application Services.
The most likely scenario is that the companies independently reported the same flaw to SAP, ERPScan CTO Alexander Polyakov told SecurityWeek. This would indicate that the flaw is easy to find and it’s possible that others have known about it. However, there is also a slight possibility that each security firm reported different vulnerabilities that SAP decided to patch together.
The list of high priority issues patched by SAP includes an input validation vulnerability affecting the Service Data Control Center (SDCC) Download Function Module, a weakness that can be exploited via the RFC gateway against NetWeaver Search and Classification (TREX) or NetWeaver Business Warehouse Accelerator (BWA), and a remote code execution bug in 3D Visual Enterprise components.
An advisory published by Onapsis also summarizes other high severity issues patched by SAP with the October updates, including information disclosure related to NetWeaver Application Server Java, a log injection flaw affecting the HANA audit log, a directory traversal in a component of ABAP, and a validation failure issue is the Internet Communication Framework.
Missing authorization checks continue to be the most common flaws. A report published last year by ERPScan showed that of the 3,000 vulnerabilities patched by SAP since 2001, roughly 20 percent were in this category.
Post a Comment