SAP released its monthly critical patch update for October 2012 which only consists of 6 SAP Security Notes (one related to HOT News, which means that it is the most critical one, and 5 with high priority).
However, the low qnumber holds the high criticality. For example, one of the listed notes closes 6 vulnerabilities in SDM application found by ERPScan researchers, and it is not so easy to install this Security Note.
The following issues were found:
- 2 XSS
- 1 DoS
- 1 privilege escalation
- 1 information disclosure
- 1 mix of multiple issues (inf disclosure/auth bypass/DoS)
Some of our readers and clients have been asking to categorize the most critical issues to patch them first. So, the most critical issues of this update can be patched by the following SAP Security Notes:
1724516: a complex update of SDM service which targets the architecture of both a client and the server. While it is not a trivial task to deploy this update, it is very critical, and the vulnerabilities in SDM can be used to fully compromise SAP platform. This patch was released as the result of the long-time collaboration between SAP and ERPScan researchers, and it is meant to significantly increase the security of the SDM component. 1720677: a logical error in J2EE stack which allows an anonymous user to escalate their privileges. Affects all J2EE based systems, for example, SAP Portal. 1678387: a denial of service vulnerability in J2EE web stack. By specifying a malicious request, an attacker can exhaust all resources of the target SAP system. Affects all J2EE based systems, for example, SAP Portal.
In this patch, critical architecture issues were closed. There are only 3 (all related to J2EE stack) issues which need to be implemented as soon as possible, but they are very critical.
SAP traditionally published acknowledgements for the found vulnerabilities to security researchers from ERPScan on their acknowledgement page.
It is highly recommended to patch all those issues to prevent business risks.
Checks for the new issues are available in ERPScan, the innovative SAP Security Monitoring Suite.