Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

SAP Security Notes April 2014 – Review

SAP has released the monthly critical patch update for April 2014. This patch update closes a lot of vulnerabilities in SAP products. This month has a lot of code injection vulnerabilities.

The most critical issues

Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

  • 1971516: SAP Service Data Download has a code injection vulnerability. An attacker can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, can potentially escalate privileges by executing malicious code or even performing a DoS attack. It is recommended to install this SAP Security Note to prevent risks.
  • 1929473: SAP Manager Self-Service has a hardcoded credentials vulnerability. An attacker can use hardcoded credentials for unauthorized access and perform actions in the system. In addition, it is likely that the code will be implemented as a backdoor into the system. It is recommended to install this SAP Security Note to prevent risks.
  • 1985100: SAP Class Builder has a code injection vulnerability. An attacker can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, can potentially escalate privileges by executing malicious code or even performing a DoS attack. It is recommended to install this SAP Security Note to prevent risks.

It is highly recommended to patch all those issues to prevent business risks.

SAP has traditionally sent acknowledgements for found vulnerabilities to security researchers on their acknowledgement page.

Checks for the issues are already available in ERPScan Security Monitoring Suite.