The company is preparing 11 patches to correct these flaws
Last Tuesday the SAP business provider launched 11 different security alerts for its users. According to cybersecurity and ethical hacking specialists from the International Institute of Cyber Security, the company informed its customers about the launch of a series of security patches to correct vulnerabilities recently found in the data management system.
Heading the list of found vulnerabilities is a 2.11.3 version of SAP Cloud Connector that has been tracked as CVE-2019-0246. According to reports from cybersecurity specialists, this software performs poor authentication for the functions that require verifying the user’s identity. Exploiting a related vulnerability (CVE-2019-0247) would allow remote code execution attack.
Then there is SAP Landscape Management, which presents a critical information-leaking vulnerability (tracked as CVE-2019-0249).
Two SAP products presented additional authentication errors — the SAP data store system and SAP Enterprise Financial Services. Both vulnerabilities (CVE-2019-0243 and CVE-2018-2484) are errors in the authentication process that could allow an attacker to run a privilege escalation, as reported by several cybersecurity experts.
On the other hand, the SAP Financial Consolidation Cube Designer software presents a vulnerability that could reveal password details (CVE-2018-2499), and the ABAP application server would present information leaking without authorization vulnerability (CVE-2019-0248).
Two denial-of-service (DDoS) vulnerabilities were also found. The first of these flaws was found in SAP Work and Inventory Management (CVE-2019-0241); the second was found acting through malicious links specially crafted in the Business Objects Tool for Android (CVE-2019-0240).
Finally, XSS vulnerability was found in SAP Commerce (CVE-2019-0238) and two others in the Enterprise CRM User Interface (CVE-2019-0244 and CVE-2019-0245).
Full details about these vulnerabilities can be found on the SAP support page. The company’s customers are encouraged to update their tools as soon as possible.