SAP publishes 27 Security Notes - SAP CRM - Tutorial & News


A tutorial on SAP CRM

Wednesday, April 12, 2017

SAP publishes 27 Security Notes

Photo: SAP headquarters, SAP Portal

The Patch Tuesday of SAP normally coincides with the monthly Microsoft security updates release time. This time SAP security patch includes a total of 27 Security Notes.These notes covered many security flaws in their ERP software. In all the security flaws there were almost 6  flaws which were rated as "High Priority", and it also included the most severe security flaw with the severity rating of 9.4 out of 10. 

According to an analysis done by ERP Scan, 7 of the vulnerabilities are missing authorisation checks. Four of them involve cross-site request forgeries, three of them involved cross-site scripting and one buffer overflow flaw. 

The most severe security flaw which was rated 9.4 on severity scale was originally uncovered by ERPScan. Due to this, SAP claims that there is a  remote-code execution vulnerability in SAP TREX/BWA.

"A Remote command execution vulnerability allows an attacker to inject code that can be executed by the application. Executed commands will run with the same privileges as the service that executed the command," explained ERPScan.

According to ERPScan Two of the cross-site scripting security flaws affects SAP NetWeaver, one in which an "attacker can use a Cross-site scripting vulnerability for injecting a malicious script into a page. The malicious script can access all cookies, session tokens and other critical information stored by a browser and used for interaction with a web application. An attacker can gain access to the user session and learn business critical information."

Apart from SAP NerWeaver, the other affects the Java Archiving Framework in which an attacker can use a cross-site scripting vulnerability to inject malicious script into a page. 

As reported by .uk

No comments:

Post a Comment