SAP has released the monthly critical patch update for November 2013. This patch update closes a lot of vulnerabilities in SAP products. This month, four critical vulnerabilities found by ERPScan researchers George Nosenko, Dmitry Evdokimov, Alexey Tyurin and Nikolay Mescherin were closed.
The most critical issues
Some of our readers and clients asked us to categorize the most critical issues to patch them first. So, the most critical issues of this update can be patched by the following SAP Security Notes:
- 1903756: SAP DB6 is vulnerable to a critical issue. It is recommended to install this SAP Security Note to prevent risks.
- 1843169: SAP CRM-MW-ADP is vulnerable to a critical issue. It is recommended to install this SAP Security Note to prevent risks.
- 1846945: SAP Business Planning and Consolidation, version for SAP NetWeaver, release 7.5, Web Administration is missing an authority check. It is recommended to check this SAP Security Note for details and apply the solution to prevent risks.
Issues that were patched with the help of ERPScan
The detailed list of corrected vulnerabilities that were found by ERPScan researchers is below.
- A potential insecure configuration of SAProuter. Update is available in SAP Security Note 1853140. If you start a client with the -X option, an external user can control the SAProuter.
- An SQL injection vulnerability in SAP BW-WHM-DBA-IOBJ application. Update is available in SAP Security Note 1836718. An attacker can exploit BW-WHM-DBA-IOBJ and use specially crafted inputs to modify database commands.
- An information disclosure vulnerability in SAP MOB-APP-EMR-AND. Update is available in SAP Security Note 1864518. An attacker can discover information related to MOB-APP-EMR-AND without authorization.
- An XXE vulnerability in SAP CA-WUI-UI-TAG. Update is available in SAP Security Note 1909665. An attacker can modify an XML-based request to include XML content that is parsed locally.
It is highly recommended to patch all those issues to prevent business risks.
SAP traditionally sent acknowledgements for found vulnerabilities to security researchers from ERPScan at their acknowledgement page.
Advisories for those issues with technical details will be available in 3 months at erpscan.com.
Checks for the described issues are already available in ERPScan Security Monitoring Suite.