SAP administrators are being warned to deal with new critical vulnerabilities identified this week in the company’s monthly patch updates, which totals 23 security notes.
According to security vendor Onapsis, which protects SAP and Oracle installations, this SAP Security Patch Day has the highest number of critical notes so far this year: Three HotNews and two High Priority Notes, plus one re-released HotNews note.
One of them is for a code injection vulnerability in NetWeaver UDDI Server with Common Vulnerability Scoring System (CVSS) score of 9.9, the most critical of the current year.
The others affect NetWeaver Application Server for Java, and SAP Commerce Cloud (former SAP Hybris Commerce).
“The last time SAP published three HotNews on the same day was in 2014,” said the Onapsis blog, “so it’s important to pay attention to this month’s release and begin applying the fixes as soon as possible.”
The blog says the two fixes affecting SAP Java platforms allow unauthenticated attackers to run remote command executions and potentially disrupt systems operations by shutting it down or collapsing its resources. SAP Java systems usually host web applications that are consumed by users, most probable for regular operations, so a continuity problem can present a severe economic impact in the organization.
The bug in NetWeaver UDDI Server (the one ranked CVSS 9.9) lets attackers take advantage of a buffer overflow vulnerability to inject code into the working memory. The Onapsis blog points out that because of the low complexity of this attack scenario in conjunction with the wide range of possible damages (e.g. information disclosure, data manipulation and destruction, up to the complete control of the product) it’s considered as the most critical fix one to be released by SAP in 2019. Fortunately, this vulnerability can easily be fixed by applying the corresponding support packages provided with the note (versions from Netweaver 7.10 to 7.50 are affected and have a patch available).
One of the HotNews vulnerabilities is SAP Security Note #2813811, titled “Server-Side Request Forgery (SSRF) in SAP NetWeaver Application Server for Java” has a CVSS of 9.0, since a potential attacker could access the Management Console for SAP Java systems by stealing user credentials. Unauthenticated users gaining access as administrators of the Management Console could lead to total disruptions of the JAVA Web Portals as well as data access (espionage, leaks) or data modification.
“Considering the number of four HotNews and two High Priority Security Notes and taking into account the wide range of attack vectors exploitable in various SAP platforms, the August Patch Day demonstrates impressively the importance of keeping your systems up to date,” says the blog.