SAP released monthly critical patch update for December 2011. This patch update closes many vulnerabilities in SAP products. Many of those vulnerabilities were found by different experts. Traditionally ERPScan researchers Alexander Polyakov, Dmitriy Chastuchin and Alexey Tuyrin are among them with 6 newly found vulnerabilities.
SAP traditionally sent acknowledgements for the found vulnerabilities to security researchers from ERPScan on their acknowledgement page.
Detailed list of corrected vulnerabilities is below:
- Multiple XSS vulnerabilities in different applications of NetWeaver J2EE Engine and Crystal Reports. Update is available in SAP Security Note 1568003, 1584030, 1647871. Criticality according to CVSS is 4.3. An attacker can use XSS vulnerability by sending a link to a malicious script to an uninformed user via an e-mail, messaging or social networks. Thus, an attacker can gain access to user session and gain control on business-critical information which can be accessed by victim.
- Denial of Service in BW. Update is available in SAP Security Note 1594475. Criticality according to CVSS is 4.0. A remote attacker can send a malicious packet to SAP NetWeaver server via the Internet or inside a company and conduct a denial of service attack by resource exhaustion. This will stop the server and all business processes running on it. It can lead to monetary and reputation loss.
- SMBRelay vulnerability in BW. Update is available in SAP Security Note 1594475. Criticality according to CVSS is 4.0. By exploiting this vulnerability an internal or external attacker will be able to get access to OS. With help of this access it is possible to obtain sensitive technical and business-related information stored in the vulnerable SAP system.
- Directory Traversal in SAP Portal. Update is available in SAP Security Note 1630293. Criticality according to CVSS is 2.1. By exploiting this vulnerability an internal attacker will be able to access any files located in the SAP Portal server file system. With help of this access it is possible to obtain sensitive technical and business-related information stored in the vulnerable SAP system.
It is highly recommended to patch all those issues to prevent business risks.
Solutions for those issues are available in SAP Security Notes: 1568003, 1584030, 1647871, 1594475, 1630293
Advisories for those issues with technical details will be available in 3 months on erpscan.com
Exploits will be available soon in ERPScan Security Scanner - innovative SAP vulnerability assessment solution and ERPScan SaaS.