The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyberattacks. The idea behind SAP Cyber Threat Intelligence report is to provide an insight into the latest security threats and vulnerabilities.
- This set of SAP Security Notes consists of 32 patches with the majority of them rated medium.
- The most common vulnerability type is Implementation Flaw.
- 3 of the bugs are Hot News with the highest CVSS base score of 9.1.
SAP Security Notes – November 2017
SAP has released the monthly critical patch update for November 2017. This patch update includes 32 SAP Security Notes (22 SAP Security Patch Day Notes and 10 Support Package Notes). 13 of all the patches are updates to previously released Security Notes.
15 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.
2 of the released SAP Security Notes received a High priority rating and 3 were assessed at Hot news. The highest CVSS score of the vulnerabilities is 9.1.
The most common vulnerability type is Implementation Flaw.SAP users are recommended to implement security patches as they are released.
Issues that were patched with the help of ERPScan
This month, 2 critical vulnerabilities identified by ERPScan’s researcher Vahagn Vardanyan and Mathieu Geli were closed.
Below are the details of the SAP vulnerabilities that were identified by ERPScan team.
- An Information Disclosure vulnerability in SAP HANA Extended Application Services (XS Advanced) (CVSS Base Score: 5.0). Update is available in SAP Security Note 2508673. An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc.) which will help to learn about a system and to plan other attacks.
- A Log Injection vulnerability in SAP NetWeaver AS Java (CVSS Base Score: 4.3). Update is available in SAP Security Note 2485208.
Other critical issues closed by SAP Security Notes – November
The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:
- 2500044: SAP Management Console has an Implementation Flaw vulnerability (CVSS Base Score: 8). Depending on the problem, an Implementation Flaw can cause unpredictable behavior of a system, troubles with stability and safety. Patches solve configuration errors, add new functionaluty and increase system stability. Install this SAP Security Note to prevent the risks.
- 2374767: SAP SAPUI5 has a Cross-Site Scripting (XSS) vulnerability (CVSS Base Score: 6.1). An attacker can exploit a Cross-Site Scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens, and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used to modify the displayed content without authorization. Install this SAP Security Note to prevent the risks.
- 2473504: SAP BusinessObjects Analysis Edition for OLAP has a Cross-Site Scripting (XSS) vulnerability (CVSS Base Score: 6.1). An attacker can exploit it to inject a malicious script into a page. The critical information stored and used for interaction with a web application can be accessed, and an attacker might gain access to user session and learn business-critical information or even get control over this data. In addition, XSS can be used for unauthorized modifying of displayed content. Install this SAP Security Note to prevent the risks.
Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.