SAP released monthly critical patch update for April 2011. This patch update closes 8 public vulnerabilities in SAP products. 3 of those vulnerabilities were found by ERPScan researchers.
SAP traditionally sent acknowledgements for the found vulnerabilities to security researchers from ERPScan on their acknowledgement page.
The most critical one is critical unauthorized information disclosure and memory corruption in SAP Kernel which has CVSS score 7.5 (priority 1 according to SAP metrics). Others are cross-site scripting vulnerabilities in SAP NetWeaver.
It is highly recommended to patch all those issues to prevent business risks.
Solutions for those issues are available in SAP Security Notes: 1548548, 1543318, 1442517.
Advisories for those issues with technical details will be available in 3 months on erpscan.com site.
Exploits will be available soon in ERPScan Security Scanner – innovative SAP vulnerability assessment solution and ERPScan SaaS.