SAP releases twenty patches, two critical
Take action: Fortunately, the two critical issues this month are very specific and either can be remedied with specific reconfiguration or affect a smaller number of customers. For those, the patching is a priority, but after a proper plan. The rest are part of the usual patching and maintenance, which all SAP administrators should already have.
Learn More
SAP has released its its Patch package for August which includes twenty new and updated patches for SAP products. Among the patches, there are two categorized as HotNews Notes, indicating critical vulnerabilities that demand immediate attention, and eight designated as High Priority Notes, reflecting significant security concerns.
Critical vulnerabilities:
- SAP Security Note #3350297 - OS Command Injection vulnerability in the context of IS-OIL. The update emphasizes a crucial aspect: while IS-OIL is present in most SAP systems, the vulnerability only becomes relevant if specific switches (OIB_QCI and OI0_COMMON_2) are activated. Thus, it is crucial to refrain from enabling IS-OIL or related switches solely to implement this security note.
- SAP Security Note #3341460. - Improper Access Control within SAP PowerDesigner, specifically affecting customers who use the SAP PowerDesigner Client to connect to a shared model repository via a SAP PowerDesigner Proxy. These vulnerabilities involve Improper Access Control, potentially allowing an unauthenticated attacker to run arbitrary queries against the backend database via a proxy. Another vulnerability patched by the same note pertains to Information Disclosure, where an attacker could access password hashes from the client's memory. The scope of potential exploitation, however, remains limited to successful execution under specific conditions.
Among the High Priority Notes, SAP Security Note #3344295 stands out due to its potential impact on a substantial number of SAP customers. This note addresses an Improper Authorization Check vulnerability in SAP Message Server. If certain conditions align, an authenticated attacker could gain unauthorized access to the network of SAP systems connected to the targeted SAP Message Server. The vulnerability might lead to unauthorized data access and manipulation, as well as system unavailability.
The August Patch Day also covered other components like SAP Commerce Cloud, SAP PowerDesigner, SAP BusinessObjects, and SAP Business One. Multiple High Priority Notes were released to address vulnerabilities in these areas. For instance, SAP Security Note #3358300 targets a Cross-Site Scripting (XSS) vulnerability in SAP Business One, which could enable an attacker to inject malicious code into web content and impact confidentiality, integrity, and availability.
