SAP Security Notes August 2011 – Review
SAP Company has released August monthly set of updates. This set of updates closes more than 40 vulnerabilities is SAP products, 7 of which were found by outside the researchers. 5 vulnerabilities of the set were found by ERPScan employees.
SAP traditionally gave thanks to ERPScan researchers for the found vulnerabilities and the promotion for its closure on their portal.
The set of updates consists of patches for a number of dangerous vulnerabilities, including those presented at the recent the BlackHat conference in Las Vegas. The detailed list of the patched vulnerabilities is below:
- The most critical vulnerability is bypassing the authentication and authorization mechanisms in the JAVA engine and as a result getting administrator rights on the server. The update is available is SAP Security Note 1589525. The criticality according to CVSS is 10. The priority is 1 according to SAP metrics.
- The possibility of creating a user in a system with any rights via CSRF attack. The update is available in SAP Security Note 1616058. The criticality according to CVSS is 7.8. The priority is 1 according to SAP metrics.
- Implementation of random code of OS via vulnerable RFC module. Update is available in SAP Security Note 1580017. Criticality according to CVSS is 6.0. Priority is 2 according to SAP metrics.
- XSS in SAP BW. The update is available in SAP Security Note 1572325. The criticality according to CVSS is 4.3. The priority is 2 according to SAP metrics.
- The SMB Relay vulnerability in one of the reports. The update is available in SAP Security Note 1583286. The criticality according to CVSS is 2.3. The priority is 2 according to SAP metrics.
The details of two first mentioned vulnerabilities and other information about J2EE applications security of SAP platform are disposable in the document /wp-content/uploads/2011/08/A-crushing-blow-at-the-heart-SAP-J2EE-engine_whitepaper.pdf
It is highly recommended to download the updates which close the mentioned vulnerabilities. The information about the updates is available from the following SAP Security Notes: 1589525,1616058,1580017,1572325,1583286. Recommendations disclosing technical details of these vulnerabilities will be available in 3 months at erpscan.com Exploits will be available soon in ERPScan Security Scanner – innovative SAP vulnerability assessment solution and ERPScan SaaS.