SAP Security Notes January 2011 – Review
This patch updates close 13 public vulnerabilities in SAP products. 3 of those vulnerabilities were found by ERPScan researchers Alexander Polyakov and Dmitriy Chastuhin. SAP traditionally sent acknowledgements for found vulnerabilities to security researchers from ERPScan on their acknowledgement page.
The most critical one is Buffer Overflow in SAP Frontend application that can be exploited to gain unauthorized access to all workstations that use SAP Frontend (SAP GUI for Windows). This vulnerability has priority 1 according to SAP metrics. Others are cross-site scripting vulnerabilities in SAP NetWeaver.
It is highly recommended to patch all those issues to prevent business risks.
Solutions for those issues are available in SAP Security Notes: 1504547, 1443367, 1490335.
Advisories for those issues with technical details will be available here:
Exploits will be available soon in ERPScan Security Scanner – innovative SAP vulnerability assessment solution and ERPScan SaaS.