SAP released its monthly critical patch update for January 2012 which closes many vulnerabilities in SAP products. This month one critical vulnerability found by ERPScan researchers Alexey Sintsov, Alexander Polyakov and Alexey Tuyrin was closed.
The detailed list of the corrected vulnerabilities is below:
- The vulnerability was found in SAP Portal and allows any user to read any file from the operation system. In combination with the possibility to read critical information like encrypted passwords or database files this vulnerability can be very dangerous. The update is available in SAP Security Note 1619539. The criticality according to CVSS is 6.8.
SAP traditionally published acknowledgements for found vulnerabilities to security researchers from ERPScan on their acknowledgement page. Unfortunately, it is not available at the date of news publishing.
It is highly recommended to patch all those issues to prevent business risks.
Advisories for those issues with technical details will be available in 3 months on our website erpscan.com.
Exploits will be available soon in ERPScan Security Scanner – innovative SAP vulnerability assessment solution.