Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

Subscribe me to your mailing list

SAP Security Notes May 2012 – Review

SAP has released monthly critical patch update for May 2012. This patch update closes many vulnerabilities in SAP products. This month, 4 vulnerabilities found by ERPScan researchers Dmitriy Chastukhin and Alexey Tyurin were closed.

Detailed list of corrected vulnerabilities is below:

  • XXE vulnerability was found in application SAP BW. By exploiting this vulnerability, an internal or external attacker will be able to access any files located in the SAP server file system. With the help of this access it is possible to obtain sensitive technical and business-related information stored in the vulnerable SAP system. Update is available in SAP Security Note 1597066. Criticality, according to CVSS, is 4.0.
  • Information disclosure vulnerability was found in application SAP NetWeaver. By exploiting this vulnerability, an internal or external attacker will be able to access any files located in the SAP server file system. With the help of this access it is possible to obtain sensitive technical and business-related information stored in the vulnerable SAP system. Update is available in SAP Security Note 1675605. Criticality, according to CVSS, is 4.0.
  • An XSS vulnerability was found in SAP NetWeaver. An attacker can use the XSS vulnerability by sending a link to malicious script to an unaware user via an e-mail, messaging or social networks. Thus, an attacker can gain access to user session and gain control over business-critical information which can be accessed by a victim. Update is available in SAP Security Note 1614834. Criticality, according to CVSS, is 4.3.
  • An XSS vulnerability was found in SAP Mobile. An attacker can use the XSS vulnerability by sending a link to a malicious script to an unaware user via an e-mail, messaging or social networks. Thus, an attacker can gain access to user session and gain control over business-critical information which can be accessed by victim. Update is available in SAP Security Note 1590866. Criticality, according to CVSS, is 4.3.

SAP has traditionally published acknowledgements for found vulnerabilities to security researchers from ERPScan on their acknowledgement page.

It is highly recommended to patch all those issues to prevent business risks.

Advisories for those issues with technical details will be available within 3 months on ERPScan.com

Exploits will be available soon in ERPScan Security Scanner - innovative SAP vulnerability assessment solution and ERPScan SaaS.