SAP this week released seven new security notes as part of the October 2019 Security Patch Day, with two of these notes rated Hot News (Critical).
This month’s set of patches also includes two security notes released after the second Tuesday of last month but before this Tuesday, along with one update for a previously released patch, totalling 10 security notes.
The most important of these notes addresses a missing authentication check in the AS2 adapter of the B2B add-on for SAP NetWeaver Process Integration. Tracked as CVE-2019-0379, the vulnerability features a CVSS score of 9.3.
Successful exploitation of this bug could lead to the theft of sensitive data or to data manipulation, or it could provide attackers with access to administrative and other privileged functionality. The issue can be exploited remotely, explains Onapsis, a firm specialized in securing Oracle and SAP products.
The second Hot News note patches an information disclosure vulnerability in SAP Landscape Management enterprise edition, version 3.0. The security flaw is tracked as CVE-2019-0380 and has a CVSS score of 9.1.
The issue, Onapsis says, is related to the custom parameters that a user can add to providers (which contain information about the scripts and other properties) assigned to custom operations. Under certain, “uncommon” conditions these providers create the risk of information disclosure, SAP says.
This month, SAP also released a High priority security note addressing a binary planting vulnerability in SAP SQL Anywhere, SAP IQ and SAP Dynamic Tiering. Tracked as CVE-2019-0381 and featuring a CVSS score of 7.8 due to the fact that access to the lo ..
Support the originator by clicking the read the rest link below.
