The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

September SAP Update Patches 14 Vulnerabilities

by Chris Brook on Wednesday September 12, 2018

Contact Us
Free Demo
Chat

SAP released its monthly critical patch update for September this week, fixing 14 vulnerabilities, including some that could have allowed users to access restricted data or cause a database server to crash.

SAP is encouraging administrators running its software to update this week in order to resolve 14 vulnerabilities in order to safeguard business critical data.

The company's Product Security Response Team released updates as part of Patch Tuesday, alongside Microsoft and Adobe, yesterday.

The most pressing issue, security updates for the browser control Chromium was actually delivered with SAP Business Client back in April but a new update to the security note is included until this month's advisory. The issue, which received a CVSS rating of 9.8, affects version 6.5 of the Business Client.

The next most critical vulnerability could let an attacker get access to sensitive information in Crystal Report, a business intelligence application, using some versions of SAP Business One that should be restricted. Two other high severity updates address a missing XML validation vulnerability in versions (7.30, 7.31. 7.40, 7.41, 7.50) of SAP NetWeaver BI's BEx Web Java Runtime Export Web Service, and a denial of service vulnerability in versions (9.2, 9.3) of SAP HANA.

Blog Post

How to Safeguard Your Business Data With Encryption

The SAP HANA vulnerability can be carried out if an attacker sends a "large crafted request to a default API or ODATA services present in a HANA XS system abusing the XML parsing failure of one of the libraries which are used by xsengine to parse XML data strings," according to Onapsis, a firm that specializes in business-critical applications and found the bug.

An attacker could also exploit the bug with a buffer overflow according to researchers, essentially making the xsengine stop responding in all of its threads. If abused the vulnerability can make any HANA XS Extended Application Services supported application unresponsive.

The rest of the vulnerabilities more or less resolve medium level severity issues, including a pair of cross-site scripting vulnerabilities, a server-side request forgery, a missing XML validation vulnerability, a trio of missing authorization checks, and two more information disclosure vulnerabilities.

According to Onapsis one of the XSS vulnerabilities, in NW AS Java Logon in SAP NetWeaver AS Java, could lead to defacements, users credentials compromises, or user impersonation.

In addition to the company's Business Client and Business One products, the patches resolve issues in software like WebDynpro, Hybris Commerce, Plant Connectivity, Adaptive Server Enterprise, Mobile Platform, and Enterprise Financial Services.

The total number of updates fall in line with last month's, which also saw 14 updates, a slight uptick from July's, which saw 16 issues fixed.

Tags: Vulnerabilities

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.