close
close

To keep companies on the ball: SAP publishes new security updates

0

HP's new AI-equipped laptop runs on a SnapDragon X Elite chip built by Californian chip giant Qualcomm – Copyright AFP Cole BURSTON

SAP, the German multinational software company, develops enterprise software to manage business processes and customer relationships. The company has a wide reach and is the world's leading provider of enterprise resource planning software.

This means that security updates for SAP are of great interest to the IT departments of many companies. With the latest round of security patches, SAP has released eighteen new and updated SAP security patches, including two so-called “High Priority Notes”.

How effective will these updates be? SAP security researcher Thomas Fritsch believes so. His work with Onapsis Research Labs (ORL) directly contributed to SAP Patch Day by patching twelve vulnerabilities covered in the ten new SAP Security Notes.

Fritsch explained what each of these updates means.

SAP Security Note No. 3483344, marked with a CVSS score of 7.7

According to Fritsch, this is the most critical patch based on the CVSS rating. Onapsis Research Labs (ORL) have discovered a security vulnerability in SAP Product Design Cost Estimating (SAP PDCE), which is based on SAP Strategic Enterprise Management (SEM). A remotely activated function module in SAP PDCE allows a remote attacker to read generic table data, thus compromising the confidentiality of the system. The patch disables the vulnerable function module.

SAP Security Note #3490515, marked with a CVSS score of 7.2

Fritsch explains that this fixes an improper authorization check vulnerability in SAP Commerce (on premise and public cloud). An attacker can abuse the “forgot password” feature to gain access to a site that has early sign-on and registration enabled without the merchant having to approve the account first. If the site is not configured as an isolated site, this can also grant access to other non-isolated early sign-on sites, even if registration is not enabled for those other sites.

SAP assesses the potential impact of this vulnerability on application confidentiality and integrity as “Low” and sees no impact on availability. As a temporary workaround, SAP recommends disabling registration for affected isolated Composable Storefront B2B sites and for all non-isolated Composable Storefront B2B sites if early sign-in is enabled on at least one of these non-isolated sites.

SAP Security Note 3482217 resolves a reflected XSS vulnerability (CVSS score 6.1) and a stored XSS vulnerability (CVSS score 5.4) in SAP BW Business Planning and Simulation.

Fritsch says that both have little impact on the confidentiality and integrity of the application and no impact on its availability.

SAP Security Note 3468681 with a CVSS score of 6.1 targets the XMLEditor in SAP NetWeaver Knowledge Management.

According to Fritsch, due to insufficient coding of user-controlled inputs, the XML editor allows the execution of malicious scripts in the application.

SAP Security Note #3467377 is a collective note for SAP CRM (WebClient UI) that closes a total of four vulnerabilities.

Fritsch explains that in addition to two reflected XSS vulnerabilities, both of which have a CVSS score of 6.1, a server-side request forgery vulnerability (CVSS score 5.0) and a missing authorization check vulnerability (CVSS score 4.3) have also been fixed.