SAP whacks application cracks, shutters baker's dozen of potential hacks

Keeps details behind closed customer-only doors

1 Reg comments Got Tips?

SAP has issued a baker's dozen of high, medium, and low-severity patches.

The fixes cover four denial of service vulnerabilities, two sets of directory traversal and missing authorisation holes, a cross-site scripting and a SQL Injection flaw, and four miscellaneous security shortcomings.

SAP does not include any detail about what flaws its patches address on its public site.

The company also updated 13 security flaws patched last month.

The security severity of recent SAP patches.

A troop of 11 unpaid security researchers were responsible for reporting this month's 13 flaws.

Notable among those are the trio of Daria Prosochkina, Mathieu Geli, and Vahagn Vardanyan, from prolific research security outfit ERPScan.

The company has reported critical vulnerabilities in SAP assets, large portions of which were thanks to user configuration errors. ®

Update: SAP has been in touch with an official statement: "Security patches are available for download on the SAP Service Marketplace. We strongly advise our customers to secure their SAP landscape by applying the available security patches from the SAP Service Marketplace immediately."


Biting the hand that feeds IT © 1998–2020