On the 13th of June 2017, SAP released its monthly set of SAP Security Notes consisting of 29 patches.
To help everyone who is engaged in SAP patching process, ERPScan research team conducted a detailed review of the released SAP Security Notes. This analysis comes in handy for companies providing SAP Vulnerability Assessment, SAP Security Audit, or SAP Penetration Testing.
SAP Security Notes June 2017 in review
June’s set of security patches includes 29 SAP Security Notes Notes (21 SAP Security Patch Day Notes and 8 Support Package Notes). 5 of them are updates to previously released Security Notes.
5 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the closed vulnerabilities is 7.5 .
Most of the vulnerabilities belong to the SAP NetWeaver ABAP platform.
The most common vulnerability type is XSS.
Priority vs. Application type distribution
The fact that SAP Systems are complex is a common place. Nonetheless, then it comes to SAP patching, one should take it into account. To simplify this process, ERPScan research team created a table demonstrating a distribution between priority and application area.
|Enterprise Performance Management||2422292
|Business intelligence solutions||2313631
|Enterprise information management solutions||2472026|
|Supply Chain Management||2457909|
|SAP Business Information Warehouse||2389764|
|Environment, Health and Safety||1816886|
|Customer Relationship Management||2236654|
The most critical issues of SAP Security Notes June 2017
The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:
- A Denial of service vulnerability in SAP NetWeaver Instance Agent Service (CVSS Base Score: 7.5). Update is available in SAP Security Note 2389181. An attacker can exploit a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affect business processes, system downtime and, as a result, business reputation.
- 2313631: BILaunchPad and Central Management Console has a Denial of service vulnerability (CVSS Base Score: 7.5). An attacker can exploit a Denial of service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively affect business processes, system downtime and, as a result, business reputation. Install this SAP Security Note to prevent the risks.
- 2396544: SAP BusinessObjects Web Intelligence HTML interface has a Cross-Site Scripting vulnerability (CVSS Base Score: 7.1). An attacker can exploit a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access cookies, session tokens and other critical information stored and used for interaction with a web application. An attacker can gain access to user session and learn business-critical information; in some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content. Install this SAP Security Note to prevent the risks.