SAP has released monthly critical patch update for August 2012. This patch update closes 24 vulnerabilities in SAP products (one related to HOT News, which is the most important, 16 with high priority and 7 with medium).
The following problems were found:
- 6 information disclosures
- 4 missing auth checks
- 4 XSS
- 2 directory traversals
- 1 code injection
- 1 hardcoded username
- 1 denial of service
Some of our readers and clients were asking us to categorize the most critical issues to patch them first. So, the most critical issues of this update can be patched by the following SAP Security Notes:
In this patch, some architecture issues were closed together with typical problems like XSS and missing auth checks. Like last month, the problems are related to the XML interface but another area of XML security was covered now. SAP closes XML encryption issues in patches 1687334 and 1684632 and it is recommended to install them to prevent attacks on XML interfaces. Access to XML interfaces is usually secured by authentication but there are some interfaces which can be accessed without authentication, for example DilbertMSG. We disclosed the issue at BlackHat so it is also a good moment to check if SAP Security Note 1707494 is installed and implement it too.
Some of the other issues were found by ERPScan researchers Alexander Polyakov and Alexey Tyurin. They are not as critical as the aforementioned problems but they should also be patched.
The detailed list of corrected vulnerabilities is below:
- An XML entity vulnerability in SAP BW. Update is available in SAP Security Note 1728500. The criticality level is 5.0 according to CVSS.
- An XSS vulnerability in SAP NetWeaver. Update is available in SAP Security Note 1721309. The criticality level is 4.3 according to CVSS.
SAP has traditionally published acknowledgements for found vulnerabilities to security researchers from ERPScan on their acknowledgement page.
It is highly recommended to patch all those issues to prevent business risks.
Checks for the new issues are available in ERPScan – the innovative SAP vulnerability assessment solution.