SAP has released the monthly critical patch update for June 2014. This patch update closes a lot of vulnerabilities in SAP products. The most common vulnerability in this month is Cross-Site Scripting.
The most critical issues
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 1908531: An XML external entity vulnerability in the SAP SBOP Explorer. An attacker can modify an XML-based request to include XML content that is parsed locally. An attacker can use a XML external entity vulnerability for getting unauthorised access to OS filesystem.
- 2015446: SAP HANA Web-based Development Workbench has a code injection vulnerability. An attacker can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, can potentially escalate privileges by executing malicious code or even performing a DoS attack.
- 2001106: A Denial of service vulnerability in SAP Business Intelligence Platform User & Server Configuration. An attacker can use Denial of Service vulnerability for terminating a process of vulnerable component. For this time nobody can use this service, this fact negatively influences on a business processes, system downtime and business reputation as a result.
Issues that were patched with the help of ERPScan
The detailed list of corrected vulnerabilities that were found by ERPScan researchers is below.
- An SQL injection vulnerability in SAP HANA Web-based Development Workbench application. Update is available in SAP Security Note 2014881. An attacker can exploit SAP HANA Web-based Development Workbench and use specially crafted inputs to modify database commands.
It is highly recommended to patch all those issues to prevent business risks.
SAP has traditionally sent acknowledgements for found vulnerabilities to security researchers on their acknowledgement page.
Checks for the issues are already available in ERPScan Security Monitoring Suite.