Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

Subscribe me to your mailing list

SAP Security Notes February 2013 – Review

SAP has released the monthly critical patch update for February 2013. This patch update closes many vulnerabilities in SAP products. This month, two critical vulnerabilities found by ERPScan researchers Dmitry Chastukhin and Nikolay Mescherin were closed.

The most critical issues

Some of our readers and clients asked us to categorize the most critical issues to patch them first. So, the most critical issues of this update can be patched by the following SAP Security Notes:

  • 1800603: SAP Message Server is vulnerable to a very critical issue. It is recommended to install this SAP Security Note to prevent risks.
  • 1785761: SAP Basis is vulnerable to a very critical issue. It is recommended to install this SAP Security Note to prevent risks.
  • 1764994: SAP Kernel is vulnerable to a very critical issue. It is recommended to install this SAP Security Note to prevent risks.
  • 1757675: SAP NetWeaver J2EE is vulnerable to a very critical issue. It is recommended to install this SAP Security Note to prevent risks.

Issues that were patched with the help of ERPScan

The detailed list of issues that were found by ERPScan researchers and corrected by SAP this month is below:

  • A directory traversal vulnerability in SAP NetWeaver J2EE application. Update is available in SAP Security Note 1757675. Attacker can create new files in the system.
  • An SMBRelay vulnerability in SAP NetWeaver ALV component. Update is available in SAP Security Note 1446476.
  • The vulnerability was found in SAP Portal and allows any user to read any file from the operating system. In combination with the possibility to read critical information like encrypted passwords or database files, this vulnerability can be very dangerous. Update is available in SAP Security Note 1619539.

It is highly recommended to patch all those issues to prevent business risks.

SAP traditionally sent acknowledgements for found vulnerabilities to security researchers from ERPScan at their acknowledgement page.

Advisories for those issues with technical details will be available in 3 months at erpscan.com.

Exploits for the most critical issues are available in ERPScan Security Monitoring Suite.