SAP this week released another set of security patches for its products to address a total of 19 vulnerabilities, most of which are rated Medium severity.
A total of 16 security notes were included in the SAP Security Patch Day in August 2017: three rated High risk, 11 rated Medium severity, and two Low risk.
SAP also released 3 Support Package Notes, for a total of 19 patches. 1 of the notes was released after the second Tuesday of the previous month and before the second Tuesday of this month.
The most important of these issues include a Directory Traversal vulnerability (CVSS Base Score: 7.7) in SAP NetWeaver AS Java Web Container, a Code Injection vulnerability (CVSS Base Score: 7.4) in Visual Composer 04s iviews, and a Cross-Site AJAX Requests vulnerability (CVSS Base Score: 7.3) in SAP BusinessObjects (in a third-party Java library used by the application).
The Visual Composer 04s iviews flaw “allows attackers to inject malicious code into the back end application. By simply having end users access a specially crafted URL, unwanted applications can be started on the client machine by an attacker. Depending on who makes use of your Enterprise Portal, clients in this sense could be employees, customers, partners or suppliers,” Onapsis reveals.
According to the company, which specializes in securing SAP and Oracle applications, a large number of Visual Composer versions, starting from 7.00, are affected. Thus, even if the component might not be actively used within an organization, it could be leveraged as part of an attack.
The most common vulnerability type resolved this month was cross-site scripting. Five such issues were addressed in SAP applications, along with two directory traversal bugs, two open redirects, two cross-site request forgery flaws, two SQL injections, one missing authorization check, one information disclosure, one code injection, one SSRF bug, one implementation flaw, and one denial of service.
“Cross-Site Scripting remains the most widespread security loophole in SAP Applications with 20% of the released Notes addressing this type of issues,” ERPScan, another company focused on securing SAP and Oracle software, says.
One of the XSS issues resolved this month impacted the Adobe Flex Software Development Kit, meaning that custom applications written with the help of the library are susceptible to XSS vulnerability, ERPScan points out. SAP’s Web Dynpro Flex appears affected.
The bug was initially found in 2011 and patched when the appropriate patch was released in March 2012. It allowed an attacker to remotely inject arbitrary web script or HTML by the use of vectors related to the loading of modules from different domains.
Because the issue impacts a library, applying the fix won’t eliminate the vulnerability, as all applications written using the vulnerable library need to be rebuilt using the patched version of the SDK.
According to ERPScan, a Cross-site scripting vulnerability in SAP Customer Relationship Management IPC Pricing (CVSS Base Score: 6.1) module deserves attention, as it could allow an attacker to inject a malicious script into a page. The script would have access to cookies, session tokens, and other critical information stored and used for interaction with a web application. Thus, an attacker could learn business-critical information and even get control over this information, or can abuse the flaw for the unauthorized modifying of displayed content.
“It’s been another SAP Notes Day without any critical (Hot News) patch update. Despite it not being a critical month, the high priority notes mentioned above should be treated as soon as possible. […] Almost all bug types are included within this release, despite most of them having a medium priority tag,” Onapsis notes.