Three of the 31 patches pushed out by SAP on Tuesday tackle flaws in the ERP giant’s technology for Defense Forces & Public Security.
In particular, SAP's Defense Forces & Public Security and SAP Mobile Defense & Security components are susceptible to a missing authorisation check vulnerability. “This issue potentially allows an attacker to read, modify or delete restricted data and is not usually considered critical, “ Alexander Polyakov, CTO and co-founder at ERPScan told El Reg. “However, the effect of even such low-impact vulnerability could be devastating when it comes to armed forces.”
SAP for Defense Forces & Public Security is designed for armed forces, police, and aid organisations and offers ERP technology optimised to their particular needs. The software offers functions such as mapping organisational structures and material and personnel resource planning, accounting and funds management, materials management and more.
Other significant patches in SAP’s December batch include a fix for a directory traversal in flaw SAP UserAdmin Application and a patch for a potential remote code execution bug in SAP BI Platform.
Now that the December patch batch is out, yearly totals can be compiled. SAP released 315 throughout 2016, slightly less than in 2015. Cross-site scripting (XSS) remains the most common vulnerability type, ERPScan reports.
In response to a request for comment, SAP said it welcomed the input of researchers such as ERPScan.
SAP Product Security Response Team collaborates frequently with research companies like ERPScan to ensure a responsible disclosure of vulnerabilities. The vulnerabilities in question has been fixed by SAP and the patches have been made available for download on the SAP Service Marketplace. We strongly advise our customers to secure their SAP landscape by applying the available security patches from the SAP Service Marketplace immediately.
Tuesday also brought security updates from Microsoft, Apple and Adobe. ®