Skip to main content

September SAP Update Patches 14 Vulnerabilities

by Chris Brook on Wednesday September 12, 2018

Contact Us
Free Demo

SAP released its monthly critical patch update for September this week, fixing 14 vulnerabilities, including some that could have allowed users to access restricted data or cause a database server to crash.

SAP is encouraging administrators running its software to update this week in order to resolve 14 vulnerabilities in order to safeguard business critical data.

The company's Product Security Response Team released updates as part of Patch Tuesday, alongside Microsoft and Adobe, yesterday.

The most pressing issue, security updates for the browser control Chromium was actually delivered with SAP Business Client back in April but a new update to the security note is included until this month's advisory. The issue, which received a CVSS rating of 9.8, affects version 6.5 of the Business Client.

The next most critical vulnerability could let an attacker get access to sensitive information in Crystal Report, a business intelligence application, using some versions of SAP Business One that should be restricted. Two other high severity updates address a missing XML validation vulnerability in versions (7.30, 7.31. 7.40, 7.41, 7.50) of SAP NetWeaver BI's BEx Web Java Runtime Export Web Service, and a denial of service vulnerability in versions (9.2, 9.3) of SAP HANA.

Blog Post

How to Safeguard Your Business Data With Encryption

The SAP HANA vulnerability can be carried out if an attacker sends a "large crafted request to a default API or ODATA services present in a HANA XS system abusing the XML parsing failure of one of the libraries which are used by xsengine to parse XML data strings," according to Onapsis, a firm that specializes in business-critical applications and found the bug.

An attacker could also exploit the bug with a buffer overflow according to researchers, essentially making the xsengine stop responding in all of its threads. If abused the vulnerability can make any HANA XS Extended Application Services supported application unresponsive.

The rest of the vulnerabilities more or less resolve medium level severity issues, including a pair of cross-site scripting vulnerabilities, a server-side request forgery, a missing XML validation vulnerability, a trio of missing authorization checks, and two more information disclosure vulnerabilities.

According to Onapsis one of the XSS vulnerabilities, in NW AS Java Logon in SAP NetWeaver AS Java, could lead to defacements, users credentials compromises, or user impersonation.

In addition to the company's Business Client and Business One products, the patches resolve issues in software like WebDynpro, Hybris Commerce, Plant Connectivity, Adaptive Server Enterprise, Mobile Platform, and Enterprise Financial Services.

The total number of updates fall in line with last month's, which also saw 14 updates, a slight uptick from July's, which saw 16 issues fixed.

Tags:  Vulnerabilities

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.