SAP has released the monthly critical patch update for December 2013. This patch update closes a lot of vulnerabilities in SAP products. This month, three critical vulnerabilities found by ERPScan researchers Alexander Polyakov, George Nosenko, Alexey Tyurin, and Nikolay Mescherin were closed.
The most critical issues
Some of our readers and clients asked us to categorize the most critical issues to patch them first. So, the most critical issues of this update can be patched by the following SAP Security Notes:
- 1927859: SAP Sybase ASE is vulnerable to a critical issue. It is recommended to install this SAP Security Note to prevent risks.
- 1773912: SAP Message Server is vulnerable to a critical issue. It is recommended to install this SAP Security Note to prevent risks.
- 1896988: SAP ST05 is vulnerable to a critical issue. It is recommended to install this SAP Security Note to prevent risks.
Issues that were patched with the help of ERPScan
The detailed list of corrected vulnerabilities that were found by ERPScan researchers is below.
- An information disclosure vulnerability in SAP Portal. Update is available in SAP Security Note 1852146. An attacker can discover information related to the landscape configuration.
- An XXE vulnerability in SAP CRM-BTX-GW. Update is available in SAP Security Note 1917054. An attacker can modify an XML-based request to include XML content that is parsed locally.
- A missing authorization check vulnerability in SAP Message Server. Update is available in SAP Security Note 1773912. An attacker can get access to some functions in Message Server without authorization.
It is highly recommended to patch all those issues to prevent business risks.
SAP traditionally sent acknowledgements for found vulnerabilities to security researchers from ERPScan at their acknowledgement page.
Checks for the issues are already available in ERPScan Security Monitoring Suite. Advisories with technical details will soon be available at erpscan.com.