By SAP announced its security updates for August 2018 on Tuesday. The modern round of updates contains over two dozen fixes, however, none of them are for serious flaws. The German software giant has delivered 27 SAP Security Notes, containing 14 Patch Day Notes and 13 Support Package Notes. Seven of the complete are updates to earlier issued fixes.
Nine of the fixes describe high severity bugs, containing two exposed by analysts at Onapsis, which is a firm that focusses in preventing Oracle and SAP applications.
“One [Security Note] fixes two SQL Injection vulnerabilities in SAP BusinessObjects. Basically, an attacker with a low privileges session can inject data and extract information that he should not be able to. The other vulnerability fixes two bugs found in SAP HANA XSA,” Onapsis said in a blog post detailing this month’s patches. “The [SQL injection] issues were found in the frontend webserver of the Central Management Console (CMC). One of these SQLi is a blind SQLi, and the other a regular SQLi blind boolean-based SQLi vulnerability,” the company added. “These SQLi vulnerabilities […] allow an attacker without privileges to get information from the Central Management Server System Database. As described, it is sensitive infrastructure information related to the BusinessObjects Enterprise platform, its structure and configuration.”
Another company named ERPScan is specializing in preventing SAP applications, noted that six of the bugs fixed in the previous month are execution problems, while another six have been addressed as lost authorization checks.
ERPScan has delivered a short-term explanation for three of the most severe flaws fixed by SAP with the August 2018 updates. The security flaws, entirely evaluated as “high severity,” contain the SQL injection bugs identified by Onapsis in BusinessObjects (CVE-2018-2447), a lost authorization check in the SAP SRM MDM Catalog (CVE-2018-2449), and a memory corruption bug in the BusinessObjects Business Intelligence place that can take to random command implementation (CVE-2015-5237).
“An attacker can use [CVE-2018-2449] to access a service without any authorization procedures and to use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks,” ERPScan said.
