SAP Security Notes March 2011 – Review
SAP released its monthly critical patch update for April 2011 which closes 7 public vulnerabilities in SAP products. 4 of those vulnerabilities were found by ERPScan researchers Alexander Polyakov and Dmitriy Evdokimov.
SAP traditionally published acknowledgements for the found vulnerabilities to security researchers from ERPScan on their acknowledgement page.
The most critical one is authentication bypass that can be exploited remotely to gain unauthorized access to SAP NetWeaver systems which has CVSS score 9.0 (priority 1 according to SAP metrics). Others are Cross-Site Scripting and information disclosure vulnerabilities in SAP NetWeaver.
It is highly recommended to patch all those issues to prevent business risks.
Solutions for those issues are available in SAP Security Notes: 1503579, 1503856,1475767, 1486679
Advisories for those issues with technical details will be available in 3 month on erpscan.com
Exploits will be available soon in ERPScan Security Scanner – innovative SAP vulnerability assessment solution and ERPScan SaaS.