SAP announces its monthly set of security fixes this week to report just three susceptibilities in its products, all of them rated average severity.
In addition to the three security notes, the January 2018 SAP Security Patch Day includes four updates to previously released security notes. These too had a Medium severity rating, the company said.
The major simple of the fixes were updates to a security note announced in October 2014, which stated code inoculation bug in awareness provider. The issue is trialed as CVE-2018-2363 and structures a CVSS score of 6.5.
“Depending on the code, attackers can inject and run their own code, obtain additional information that should not be displayed, change and delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or escalate privileges by executing malicious code or even perform a DOS attack,” ERPScan, a company that specializes in securing SAP and Oracle products, explains.
SAP also announced an update to a security note stated in December 2017, talking CVE-2017-16690, a DLL preload threat likely on NwSapSetup and Installation self-pulling out program for SAP Plant Connectivity (CVSS score 5.0). Recently decided issues contain CVE-2018-2361, an Improper Role Authorizations in SAP Solution Manager 7.2 (CVSS score 6.3), CVE-2018-2360, Missing Authentication check in Startup Service (CVSS score 5.8), and CVE-2018-2362, Information Disclosure in Startup Service in SAP HANA (CVSS score 5.3).
By exploiting CVE-2018-2360, an attacker could access a service “without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks,” ERPScan reveals. CVE-2018-2361’s exploitation could provide an attacker with the possibility to edit all tables on the server, which could result in data compromise, the company continues.
ERPScan, which ponders the code inoculation security note updates as a sole fix, says that 10 SAP Security Notes (5 SAP Security Patch Day Notes and 5 Support Package Notes) were sealed with the January 2018 SAP Security Patch Day. 3 were updates to earlier security notes and 5 were announced after the second Tuesday of the preceding month and earlier the second Tuesday of the current month.