SAP Patches 17 Vulnerabilities With May 2017 Security Update
11.5.2017 securityweek Vulnerebility
SAP on Tuesday released its May 2017 set of security fixes to address 17 issues in its products, the lowest number of monthly vulnerabilities over the past six months.
Only 9 of the security notes were released on this SAP Security Patch Day, SAP reveals. 4 others were released after the second Tuesday of the previous month and before the second Tuesday of this month, while 4 more are updates to previously released notes.
Missing Authorization Checks (5 vulnerabilities) and Cross-Site Scripting (5 flaws) represented the most common vulnerability types addressed this month. Additionally, SAP resolved two Implementation flaws, along with an XML external entity, one denial of service, a buffer overflow, one clickjacking, and an SQL injection.
The highest CVSS score of the vulnerabilities resolved this month is 6.5. One of the flaws, however, was assessed a Hot News rating, while another was considered High priority, ERPScan notes. The remaining 15 issues included 14 Medium risk vulnerabilities and one Low severity bug.
As security firm Onapsis explains, the High priority vulnerability wasn’t an issue directly in the SAP platform, but a bug in a third-party library that SAP uses. Resolved via note #2380277 (titled “Memory Corruption Vulnerability in IGS”), the bug allows an attacker to update a library component that is being used by Internet Graphics Server (IGS).
The library has been vulnerable for the past year, but it is easy to resolve and there are no reports of it being widely exploited, Onapsis notes. The issue affects products from companies such as Oracle and RedHat too, but they updated it last year.
The most important of the issues SAP Security Patch Day addressed include two missing authorization checks in SAP Defense Forces & Public Security DFPS module (CVSS Base Score of 6.5 and 6.3, respectively), a missing authorization check in SAP NetWeaver ADBC Demo Programs (6.3), and a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Authentication and SSO (6.1).
A total of 4 vulnerabilities in DFPS module were addressed this month, namely 3 missing authorization checks affecting DFPS and one update to a patch for SQL Injection in the same module. Overall, SAP addressed 18 vulnerabilities in this module (3 High priority and 15 Medium risk). 11 of the bugs were resolved over the past six months.
“Missing authorization check vulnerability usually allows a perpetrator to read, modify or delete data, which has restricted access. When it comes to the defense industry and armed forces, the information can be critical in terms of International security and the effect of even such low-impact vulnerabilities could be devastating,” ERPScan notes.
All but one of the May 2017 SAP Security Patch Day notes are automatic ones, meaning that they have an automatic effect and customers won’t have to take additional steps to secure their deployments, Onapsis says. The only note that has manual steps is #2142551 (“Whitelist Service for Clickjacking Framing Protection in AS ABAP”).