Contact us today.

Subscribe me to your mailing list

Authentication bypass

SAP Security Notes December 2015 – Review

SAP has released the monthly critical patch update for December 2015. This patch update closes 26 vulnerabilities in SAP products (19 Patch Day Security Notes and 7 Support Package Security notes), 16 of which are high priority. This month, two critical vulnerabilities found by ERPScan researchers Alexander Polyakov, Mathieu Geli and Vahagn Vardanyan were closed.

The largest part of vulnerabilities closed by this update relates to the “other” type according to SAP’s blog post. This is quite typical for business applications such as SAP. Due to their uniqueness and complexity, there are much more uncommon vulnerabilities comparing to traditional software where, as our research Analysis of 3000 SAP Security notes revealed, configuration issues constitute only 2%. Last year we analyzed SAP Security Notes by type, and about 300 vulnerabilities of almost 3000 were defined as configuration issues and about 150 were uncategorized. Configuration and other unusual issues in SAP are 5 times more common than in traditional products, thus, a significant part of cybersecurity measures falls on shoulders of administrators.
Read more..

SAP Security Notes October 2015 – Review

SAP has released the monthly critical patch update for October 2015. This patch update closes 29 vulnerabilities in SAP products, 15 of which are high priority, some of them belong to the SAP HANA security area. The most common vulnerability is Missing Authorization Check (as it was in SAP Security Notes September 2015). This month, one critical vulnerability found by ERPScan researcher Mathieu Geli was closed. This vulnerability also affects SAP HANA security and has the highest CVSS score among all issues closed by the update.
Read more..