SAP Security Notes July 2013 – Review
SAP released its monthly critical patch update for July 2013 which closes many vulnerabilities in SAP products. This month, two critical vulnerabilities found by ERPScan researcher Dmitry Chastukhin were closed.
The most critical issues
Some of our readers and clients asked us to categorize the most critical issues to patch them first. The most critical ones of this update can be patched by the following SAP Security Notes:
- 1860367: SAP CO-PA is vulnerable to a very critical issue. It is recommended to install this SAP Security Note to prevent risks.
- 1839699: SAP CA-MRS is vulnerable to a very critical issue. It is recommended to install this SAP Security Note to prevent risks.
Issues that were patched with the help of ERPScan
Here are the details of the issues that were found by ERPScan researchers.
- A Missing Authorization Check vulnerability in SAP DI_CMS application. The update is available in SAP Security Note 1831022. An authenticated user can get the functions of DI_CMS access to which should be restricted.
- A Missing Authorization Check vulnerability in SAP CM Services application. The update is available in SAP Security Note 1831053. An authenticated user can get functions of CM Services access to which should be restricted.
It is highly recommended to patch all these issues to prevent business risks. SAP traditionally published acknowledgements for the found vulnerabilities to security researchers from ERPScan at their acknowledgement page.
Advisories for those issues with technical details are available at erpscan.com.
Exploits for the most critical issues are available in ERPScan Security Monitoring Suite.