SAP’s Security Patch Day updates for August 2019 address three new critical vulnerabilities affecting the company’s products. This is the highest number of critical flaws fixed on the same day since 2014.
SAP has released a total of 12 new patches (Security Notes) that address vulnerabilities in the company’s NetWeaver, Business Client, Commerce Cloud, HANA, ABAP, BusinessObjects, Enable Now, and Gateway products.
Four of the patches have been classified as critical (Hot News), including one that is an update to a Security Note initially released in April 2018 for Business Client and which, to date, has been updated ten times, according to Onapsis, a company that specializes in protecting SAP and Oracle applications.
The other three Hot News patches are for a remote code execution flaw in the NetWeaver UDDI Server (CVE-2019-0351), code injection vulnerabilities in Commerce Cloud (CVE-2019-0344), and a server-side request forgery (SSRF) flaw in the NetWeaver Application Server for Java (CVE-2019-0345).
Onapsis pointed out that CVE-2019-0351 is the vulnerability with the highest CVSS score patched this year, 9.9. The vulnerability is caused by a buffer overflow and it allows an attacker to inject code into working memory.
“Because of the low complexity of this attack scenario in conjunction with the wide range of possible damages (e.g. information disclosure, data manipulation and destruction) up to the complete control of the product, this Note is considered as the most critical one to be released by SAP in 2019,” Onapsis said in a blog post.
The SSRF vulnerability tracked as CVE-2019-0345 was discovered by Onapsis researchers. The company noted that it allows an attacker to gain admin access to the Management Console for SAP Java systems.
“The worst-case scenarios include remote OS execution on the system and stopping SAP system generation, a denial of service (DoS) attack,” Onapsis explained.
Of the remaining vulnerabilities, two have been classified as “high severity.” They include a DoS flaw in SAP HANA and a missing authorization check issue in a SAP kernel package that can lead to information disclosure and data manipulation.
“Considering the number of four HotNews and two High Priority Security Notes and taking into account the wide range of attack vectors exploitable in various SAP platforms, the August Patch Day demonstrates impressively the importance of keeping your systems up to date,” Onapsis said.
According to Onapsis, a total of 23 Security Notes have been released by SAP since the previous Patch Day updates.