SAP on Tuesday released a series of updates for its products, patching a total of 21 vulnerabilities, including four critical flaws, of which one was rated “Hot News.”
The company included 13 security notes in its SAP Security Patch Day – June 2016, to which it added 2 updates to previously released Patch Day Security Notes. Alongside these 15 bugs, SAP released 6 Support Package Notes, ERPScan, a company that specializes in securing SAP and Oracle business-critical software, says.
According to SAP, one of the 15 resolved issues was rated ‘Hot News’, three were High severity, 10 Medium, and one Low. 4 of the vulnerabilities were Cross-Site Scripting (XSS), 3 were missing authorization check, 2 denial of service (DoS), 1 information disclosure, 1 code injection, and 4 other bugs.
The Hot News flaw is the Code injection vulnerability in SAP Documentation and Translation Tools, which has a CVSS Base Score of 9.1. Depending on the injected code, an attacker can exploit it to run code, obtain additional information that should not be displayed, modify data, delete data, modify the system output, create new users with higher privileges, control the behavior of the system, potentially escalate privileges by executing malicious code, and even to perform a DoS attack.
Of the three High risk issues, one is an XSS in SAP DesignStudio SFIN, with a CVSS Base Score of 8.8, while another is an XML external entity vulnerability in SAP Web-Survey, with a CVSS Base Score of 7.5 (it could allow an attacker to get unauthorized access to OS filesystem). SAP also resolved an XSS in SAP ecattping, with a CVSS Base Score or 6.1.
According to ERPScan, its researchers discovered four of the vulnerabilities that SAP patched in the June 2016 security notes. One of these, an Information Disclosure vulnerability in BI Reporting and Planning of the Business Warehouse (BW) component, was reported to SAP on April 20, 2013, but the company needed more than three years to resolve it.
The issue carries a CVSS v3 Base Score 5.3/10 and can be exploited by an attacker to reveal additional information (system data, debugging information, etc) which would help them learn about a system and plan further attacks. Given that BI Reporting and Planning was designed to transform and consolidate business information from virtually any source system, this unpatched vulnerability can put companies at serious risks.
ERPScan also explains that not all companies apply patches as soon as they are released, and that some issues remain unpatched for years after SAP releases the necessary security fixes. One recent example is the Invoker Servlet case, which was patched by SAP in 2010, and which exists in the built-in functionality in SAP NetWeaver Application Server Java systems (SAP Java platforms). Researchers recently revealed that up to 36 global organizations were hacked by attackers exploiting this flaw.
Other issues that SAP resolved with the help of ERPScan researchers include the XSS vulnerability in SAP ecattping, a Denial of service vulnerability in SAP Sybase SQL Anywhere MobiLink Synchronization Server (with a CVSS Base Score of 4.9), and a Directory traversal vulnerability in SAP Data Services (with a CVSS Base Score of 2.7).
The SAP NetWevwer ABAP platform, which is the backend platform for most of the common business applications such as ERP, CRM, SRM, and PLM, was affected by the largest number of vulnerabilities. As usual, companies using any of the affected products are advised to apply security patches as soon as possible, to ensure that they prevent business risks affecting SAP systems.
Last month SAP resolved a Hot News flaw in ASE XPServer, along with 9 other vulnerabilities in products such as Crystal Reports for Enterprise, and Predictive Analytics, or SAP NetWevwer ABAP platform. In April, the company patched 19 flaws in its products, 10 of which had a high priority rating, while patching 28 vulnerabilities in March.