SAP announced its set of security fixes this week, which contain patches for serious flaws in web browser controls carried with SAP Business Client. The greatest and significant Security Notes announces numerous flaws in the web browser controls utilized to show pages in SAP Business Client 6.5 PL5. The flaws influence browser controls for Microsoft’s Internet Explorer and the open source Chromium.
“The latter has been determined to show multiple weaknesses like memory corruption, information disclosure and more. Although the SAP note does not explicitly mention it, similar security flaws can be expected for IE,” Onapsis, a firm that specializes in securing Oracle and SAP products, reveals.
The users who trail the Windows update method should be secured from the flaws in the internet explorer browser control, specified that the control “hooks into libraries that are patched alongside other Windows updates,” Onapsis explains.
The Chromium browser control necessitates the newly announced security note to fix carried with the SAP Business Client. One of the High Priority Security Notes in SAP’s fixes states a denial of service in SAP Business One (CVSS score of 7.5), but the flaw truly occurs in Apache. A cybercriminal could dismiss the susceptible application’s procedure by abusing the flaw. SAP also stated an unsuitable session management problem in SAP Business Objects (CVSS score of 7.3). Followed as CVE-2018-2408, the flaw consequences in present user sessions lasting vigorous even after changing of password.
SAP also announced an update this month to a Note describing a code injection flaw in SAP Visual Composer (CVSS score of 7.4). The vulnerable let the cybercriminal to insert code into the back-end application through sending a particularly crafted HTTP GET appeal to the Visual Composer. SAP patched that, but researchers exposed that the flaw could be activated using POST demands too.
Moreover, SAP announced Update 1 to Security Note 2376081. Also containing a CVSS score of 7.4, the Note fixes flaw in VCFRAMEWORK and VC70RUNTIME. Another update contained current month’s Patch Day is Security Note 2201710. Rated Medium Priority and containing a CVSS score of 5.4, it is an update to a let know an announcement with the September 2015 Patch Day: Patching Logjam and Alternative chains certificate forgery flaws in numerous SAP products. 18 SAP products are influenced.
The lasting Security Notes announced this month describe flaws in SAP CP Connectivity Service and Cloud Connector, Disclosure Management, Solution Manager Incident Management Workcenter, Business One Browser Access, Crystal Reports Server OEM Edition, and Control Center and Cockpit Framework.
SAP also announced 4 Security Notes, for a total quantity of sixteen Security Notes, according to ERPscan, additional firm dedicated in protecting Oracle and SAP products.
The determined problems contain 5 implementation vulnerability, two directory traversal, two cross-site scripting, two code injection, and buffer excess, omitting approval check, rejection of service, XML external entity (XXE), and clickjacking.