This article is more than 1 year old

Running SAP? Checked for patches lately? Now's a good time

New round of fixes includes one for security bypass flaw

SAP has released its July pack of security fixes, including critical patches one researcher says demand your urgent attention.

Alexander Polyakov of ERPScan noted a handful of security vulnerabilities patched by the release that could potentially be targeted for attacks.

Among the patches is a fix for an authorization bypass flaw in SAP ASE XP Server. That vulnerability could allow an attacker to bypass security checks. The vulnerability was rated as a 9.3 on the CVSS vulnerability scale.

"This can lead to information disclosure, privilege escalation, and other attacks," Polyakov wrote.

"It is recommended to install this SAP Security Note to prevent risks."

Other flaws Polyakov noted as priority fixes were a vulnerability in IDES ECC that could potentially allow an attacker to remotely take control of a vulnerable SAP server. A flaw in the SAP Service Data Download could also allow for remote command execution. Both of those vulnerabilities were given 6.0 CVSS scores.

Polyakov himself was credited by SAP this month for discovering a vulnerability in the SAP XML Data Archiving Service.

"An attacker can use Missing Authorization Checks to access a service without any authorization procedures and use service functionality that has restricted access," he said.

"This can lead to an information disclosure, privilege escalation, and other attacks."

The Reg was unable to get a full list of the July security notices posted by SAP. Admins should check with SAP or their IT service providers to ensure that all patches are installed. ®

More about

TIP US OFF

Send us news


Other stories you might like