SAP has released the monthly critical patch update for January 2014. This patch update closes a lot of vulnerabilities in SAP products. This month, two critical vulnerabilities found by ERPScan researchers Evgeny Neyolov and Dmitry Chastukhin were closed.
The most critical issues
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 1865109: SAP Diagnostics Agents is vulnerable to a critical issue. It is recommended to install this SAP Security Note to prevent risks.
- 1922547: SAP iView Wizard is vulnerable to a critical issue. It is recommended to install this SAP Security Note to prevent risks.
- 1898046: SAP BW-SYS-DB is vulnerable to a critical issue. It is recommended to install this SAP Security Note to prevent risks.
Issues that were patched with the help of ERPScan
The detailed list of corrected vulnerabilities that were found by ERPScan researchers is below.
- An information disclosure vulnerability in SAP managed systems. Update is available in SAP Security Note 1828885. An attacker can discover information related to SAP system files using Solution Manager.
- An XSS vulnerability in the SAP PI application. Update is available in SAP Security Note 1788080. An attacker can modify displayed application content without authorization and steal authentication data (cookie).
It is highly recommended to patch all those issues to prevent business risks.
SAP has traditionally sent acknowledgements for found vulnerabilities to the security researchers from ERPScan on their acknowledgement page.
Checks for the issues are already available in ERPScan Security Monitoring Suite. Advisories with technical details will soon be available at erpscan.com.