SAP this week released 6 Security Notes as part of its April 2019 Security Patch Day, including two that address High severity flaws in Crystal Reports and NetWeaver.
Tracked as CVE-2019-0285 (CVSS Base Score: 7.5), the vulnerability in Crystal Reports is an information disclosure issue that could provide an attacker with access to details such as system data, debugging information, and more.
The second High risk flaw is CVE-2019-0283 (CVSS Base Score: 7.1), a spoofing attack vulnerability in NetWeaver Java Application Server. An attacker could target the bug to spoof the data being displayed to the user.
Other vulnerabilities addressed this month include a missing authorization check for the ABAP INST function module (CVE-2019-0279, CVSS Base Score: 5.5), information disclosure in NetWeaver (CVE-2019-0282, CVSS Base Score: 5.3; CVE-2019-0278, CVSS Base Score: 5.1), and an XML External Entity (XXE) vulnerability in SAP HANA (CVE-2019-0284, CVSS Base Score: 5.1).
The XXE in HANA requires special attention as it can be “used in a targeted attack, based on its ease of exploitability and the potential negative impact to business continuity. If not patched, the vulnerability would allow an attacker to remotely access critical files from the server and steal any web app custom code,” Onapsis, a firm that specializes in securing SAP and Oracle applications, says.
The Security Patch Day also saw the release of updates for three previous security notes, including the Hot News note that delivers security updates for the browser control Google Chromium delivered with SAP Business Client, initially released as part of the April 2018 Patch Day.
Another update was released for a note addressing an XXE bug in SLD Registration of NetWeaver and ABAP Platform (CVE-2019-0265), while the third is for a missing authorization check in Enterprise Financial Services (CVE-2018-2484).
SAP also rolled out two notes released after the second Tuesday of the last month but before the second Tuesday of this month, ERPScan, another firm that specializes in the security of Oracle and SAP applications, reveals.
Together with Support Package Notes, these bring the total of Security Notes released as part of the April 2019 SAP Security Patch Day to 13.
Missing authorization check was the most encountered vulnerability type this month, followed by information disclosure and XXE. SAP also patched directory traversal, spoofing, an implementation flaw, and a session fixation bug.
Related: SAP Patches Critical Vulnerability in HANA XSA
Related: SAP Releases ‘Hot News’ Security Notes on First Patch Day of 2019
Ionut Arghire is an international correspondent for SecurityWeek.
Tags: 
