SAP released monthly critical patch update for June 2011. This patch updates close about 40 vulnerabilities in SAP products. 10 of those vulnerabilities were found by different experts. Traditionnaly ERPSCan researcher Dmitriy Chastuhin who found 2 vulnerabilities is among them.
SAP traditionally send acknowledgements for found vulnerabilities to security researchers from ERPScan Research Team on their acknowledgement page.
Both vulnerabilities have medium security level (5.0 and 4.3 by CVSS). Vulnerabilities are found in SAP NetWeaver J2EE Engine and can give attacker access to user session.
It is highly recommended to patch all those issues to prevent business risks.
Solutions for those issues are available in SAP Security Notes: 1545883, 1562292.
Advisories for those issues with technical details will be available in 3 months on erpscan.com site.
We also published details about vulnerabilities that were closed 3 month ago in March 2011
Exploits will be available soon in ERPScan Security Scanner – innovative SAP vulnerability assessment solution and ERPScan SaaS.