Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

SAP Security Notes June 2012: focus on espionage

SAP has released monthly critical patch update for June 2012. This patch update closes many vulnerabilities in SAP products. This month, 2 vulnerabilities found by ERPScan researchers Alexander Polyakov, Dmitriy Chastukhin, Alexey Tyurin and Alexander Minozhenko were closed. The vulnerabilities affect two popular SAP platforms: SAP Portal and SAP PI, which are usually connected to untrusted networks such as the Internet or a public corporate network. Both vulnerabilities allow unauthorized access to sensitive technical and business-related information stored in a vulnerable SAP system or connected systems. Those vulnerabilities can lead to espionage actions made by competitors.

The detailed list of corrected vulnerabilities is below:

  • A vulnerability in SAP Process Integration. Update is available in SAP Security Note 1707494. The criticality level is 8.5 according to CVSS. By exploiting this vulnerability, an internal or external attacker will be able to access any files located in the SAP server file system, execute a DoS attack and exploit the connected systems. With the help of this access it is possible to obtain sensitive technical and business-related information stored in the vulnerable SAP system.
  • A directory traversal vulnerability in SAP Portal. Update is available in SAP Security Note 1705800. The criticality level is 4.9 according to CVSS. By exploiting this vulnerability, an internal or external attacker will be able to access any files located in the SAP server file system. With the help of this access it is possible to obtain sensitive technical and business-related information stored in the vulnerable SAP system..

SAP has traditionally published acknowledgements for found vulnerabilities to security researchers from ERPScan on their acknowledgement page.

It is highly recommended to patch all those issues to prevent business risks.

Advisories for those issues are available at ERPScan.com.

Exploits will be available soon in ERPScan Security Scanner, the innovative SAP vulnerability assessment solution, and ERPScan SaaS.