SAP released its monthly critical patch update for June 2014 which closes a lot of vulnerabilities in SAP products. The most common vulnerability in this month is Cross-Site Scripting.
The most critical issues
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. the companies that provide SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- 1908531: An XML external entity vulnerability in the SAP SBOP Explorer. An attacker can modify an XML-based request to include XML content that is parsed locally. An attacker can use a XML external entity vulnerability for getting an unauthorized access to OS file system.
- 2015446: SAP HANA Web-based Development Workbench has a code injection vulnerability. An attacker can inject and run their own code, obtain the additional information that should not be displayed, modify and delete any data, modify the output of the system, create new users with higher privileges, control the behavior of the system, potentially escalate privileges by executing malicious code or even performing a DoS attack.
- 2001106: A Denial of service vulnerability in SAP Business Intelligence Platform User & Server Configuration. An attacker can use a Denial of Service vulnerability for terminating a process of the vulnerable component. By this time nobody can use this service, this fact negatively influences on business processes, a system downtime and the business reputation as a result.
Issues that were patched with the help of ERPScan
The detailed list of the corrected vulnerabilities that were found by ERPScan researchers is below.
- An SQL injection vulnerability in SAP HANA Web-based Development Workbench application. The update is available in SAP Security Note 2014881. An attacker can exploit SAP HANA Web-based Development Workbench and use specially crafted inputs to modify database commands.
It is highly recommended to patch all those issues to prevent business risks.
SAP traditionally published acknowledgements for the found vulnerabilities to security researchers on their acknowledgement page.
Checks for the issues are already available in ERPScan Security Monitoring Suite.