SAP released monthly critical patch update for January 2012. This patch update closes many vulnerabilities in SAP products. This month one critical vulnerability founded by DSecRG researchers Alexey Sintsov, Alexander Polyakov and Alexey Tuyrin was closed.
Detailed list of corrected vulnerabilities is below:
- Vulnerability was founded in SAP Portal and allows any user to read any file from operation system. In combination with the possibility to read critical information like encrypted passwords or database files this vulnerability can be very dangerous. Update is available in sap note 1619539. Criticality according to CVSS is 6.8.
SAP traditionally sent acknowledgements for founded vulnerabilities to security researchers from DSecRG on their acknowledgement page. Unfortunately at the date of news publishing it is not available.
It is highly recommended to patch all those issues to prevent business risks.
Advisories for those issues with technical details will be available in 3 months on erpscan.com and also on DSecRG.com site.
Exploits will be soon avaiable in ERPScan Security Scanner and ERPScan SAAS.
