SAP’s Security Patch Day updates for August 2019 address three new critical vulnerabilities affecting the company’s products. This is the highest number of critical flaws fixed on the same day since 2014.
SAP has released a total of 12 new patches (Security Notes) that address vulnerabilities in the company’s NetWeaver, Business Client, Commerce Cloud, HANA, ABAP, BusinessObjects, Enable Now, and Gateway products.
Four of the patches have been classified as critical (Hot News), including one that is an update to a Security Note initially released in April 2018 for Business Client and which, to date, has been updated ten times, according to Onapsis, a company that specializes in protecting SAP and Oracle applications.
The other three Hot News patches are for a remote code execution flaw in the NetWeaver UDDI Server (CVE-2019-0351), code injection vulnerabilities in Commerce Cloud (CVE-2019-0344), and a server-side request forgery (SSRF) flaw in the NetWeaver Application Server for Java (CVE-2019-0345).
Onapsis pointed out that CVE-2019-0351 is the vulnerability with the highest CVSS score patched this year, 9.9. The vulnerability is caused by a buffer overflow and it allows an attacker to inject code into working memory.
“Because of the low complexity of this attack scenario in conjunction with the wide range of possible damages (e.g. information disclosure, data manipulation and destruction) up to the complete control of the product, this Note is considered as the most critical one to be released by SAP in 2019,” Onapsis said in a blog post.
The SSRF vulnerability tracked as CVE-2019-0345 was discovered by Onapsis researchers. The company no ..
Support the originator by clicking the read the rest link below.
