SAP released its monthly critical patch update for June 2011 which updates close about 40 vulnerabilities in SAP products. 10 of them were found by different experts. The ERPSCan researcher Dmitriy Chastuhin who found 2 vulnerabilities is traditionally among them.
As usual, SAP published acknowledgements for the found vulnerabilities to security researchers from ERPScan Research Team on their acknowledgement page.
Both vulnerabilities have medium security level (5.0 and 4.3 by CVSS). The vulnerabilities affect in SAP NetWeaver J2EE Engine and can give an attacker the access to the user session.
It is highly recommended to patch all those issues to prevent business risks.
Solutions for those issues are available in SAP Security Notes: 1545883, 1562292.
Advisories for those issues with technical details will be available in 3 months on erpscan.com site.
We also published details of vulnerabilities that were closed 3 month ago in March 2011
Exploits will be available soon in ERPScan Security Scanner – innovative SAP vulnerability assessment solution and ERPScan SaaS.