SAP Security Notes September 2013 – Review
SAP has released the monthly critical patch update for September 2013. This patch update closes many vulnerabilities in SAP products. This month, 4 critical vulnerabilities found by ERPScan researchers Alexander Polyakov, Nikolay Mescherin and Dmitry Evdokimov were closed.
The most critical issues
Some of our readers and clients asked us to categorize the most critical issues to patch them first. So, the most critical issues of this update can be patched by the following SAP Security Notes:
- 1893560: SAP Sybase ASE is vulnerable to a very critical issue. It is recommended to install this SAP Security Note to prevent risks.
- 1849356: SAP Sybase ASE is vulnerable to another critical issue. It is recommended to install this SAP Security Note to prevent risks.
Issues that were patched with the help of ERPScan
Here are the details of the issues that were found by ERPScan researchers.
The detailed list of corrected vulnerabilities is below:
- An SQL Injection vulnerability in the SAP BC-CTS-CCO application. Update is available in SAP Security Note 1783795. An attacker can exploit BC-CTS-CCO and use specially crafted inputs to modify database commands.
- An XSS vulnerability in the SAP SV-SMG-DIA-SRV application. Update is available in SAP Security Note 1828801. An attacker can modify displayed application content without authorization.
- An Information Disclosure vulnerability in SAP Standalone Enqueue Server. Update is available in SAP Security Note 1879601. An attacker can get access to Standalone Enqueue Server from the outside.
- An XXE vulnerability in the SAP Hotspot Analysis application. Update is available in SAP Security Note 1890819. A malicious user can perform cause denial of service (DoS) of the parsing system, or access further network-located resources that are accessible from the parsing system.
It is highly recommended to patch all those issues to prevent business risks. SAP has sent the traditional acknowledgements for found vulnerabilities to security researchers from ERPScan at their acknowledgement page.
Advisories for those issues are available at erpscan.com.
Checks for the described issues are already available in ERPScan Security Monitoring Suite.