SAP released monthly critical patch update for January 2012. This patch update closes many vulnerabilities in SAP products. This month one critical vulnerability founded by ERPScan researchers Alexey Sintsov, Alexander Polyakov and Alexey Tuyrin was closed.
Detailed list of corrected vulnerabilities is below:
- Vulnerability was found in SAP Portal and allows any user to read any file from operation system. In combination with the possibility to read critical information like encrypted passwords or database files this vulnerability can be very dangerous. The update is available in SAP Security Note 1619539. Criticality according to CVSS is 6.8.
SAP traditionally sent acknowledgements for found vulnerabilities to security researchers from ERPScan on their acknowledgement page. Unfortunately, at the date of news publishing it is not available.
It is highly recommended to patch all those issues to prevent business risks.
Advisories for those issues with technical details will be available in 3 months on our website erpscan.com.
Exploits will be soon avaiable in ERPScan Security Scanner - innovative SAP vulnerability assessment solution.