SAP Cyber Threat Intelligence report – September 2018
The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyber attacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide an insight into the latest security vulnerabilities and threats.
- The recent patch update consists of 22 patches with the majority of them rated medium.
- The most common vulnerability type is Missing Authorization Check.
SAP Security Notes – September 2018
SAP has released the monthly critical patch update for September 2018. This patch update closes 22 SAP Security Notes (14 SAP Security Patch Day Notes and 8 Support Package Notes). 3 of all the patches are updates to the previously released Security Notes.
4 notes are released after the second Tuesday of the previous month and before the second Tuesday of this month.
This month, Missing Authorization Check is the largest group in terms of the number of vulnerabilities.
SAP users are recommended to implement security patches as they are released as it helps protect the SAP landscape.
Critical issues closed by SAP Security Notes in September
The following SAP Security Notes can patch the most severe vulnerabilities of this update :
- 2449974: SAP ECC Sales Support has a Missing Authorization check vulnerability (CVSS Base Score: 8.8). An attacker can use this vulnerability to access a service without any authorization procedure and employ service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks. Install this SAP Security Note to prevent the risks.
- 2670284: SAP Business One and SAP HANA Installer has an Information Disclosure vulnerability (CVSS Base Score: 8.8 CVE-2018-2458). An attacker can use the Information disclosure vulnerability to reveal additional information (system data, debugging information, etc.) which would help to learn about a system and plan other attacks. Install this SAP Security Note to prevent the risks.
- 2644279: SAP BEx Web Java Runtime Export Web Service has a Missing XML Validation (XXE) vulnerability (CVSS Base Score: 8.8 CVE-2018-2462 ). An attacker can use XML external entity vulnerability to send specially crafted unauthorized XML requests, which would be processed by XML parser. The attacker would gain unauthorised access to OS filesystem. Install this SAP Security Note to prevent the risks.
Advisories for these SAP vulnerabilities with technical details will be available in three months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.