SAP has released the monthly critical patch update for May 2014. This patch update closes a few vulnerabilities in SAP products.
The most critical issues
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
So, the most critical issues of this update can be patched by the following SAP Security Notes:
- 1889999: A Missing Authorization Check vulnerability in the SAP liveCache Applications. An attacker can use some functions of LCAPPS DP access to which should be restricted. This may result in privilege escalation.
- 1979438: An XSS vulnerability in SAP Business-to-Business Internet Sales. An attacker can modify displayed application content without authorization and steal authentication data (cookie).
- 2009696: An XSS vulnerability in SAP HANA Interactive Education. An attacker can modify displayed application content without authorization and steal authentication data (cookie).
It is highly recommended to patch all those issues to prevent business risks.
SAP has traditionally sent acknowledgements for found vulnerabilities to security researchers on their acknowledgement page.
Checks for the issues are already available in ERPScan Security Monitoring Suite.