SAP's Business Client can own entire apps, DDOS them into dust

SAP has issued its April security update, which brings a waiting world news of ten patch-worthy problems.

The nastiest has a CVSS rating of 9.8 and impacts SAP's Business Client, the desktop tool to access much of its wares.

Details of the problem are behind a registration wall, but according to ERP Scan, the vulnerability is a memory corruption bug that allows an attacker to inject crafted code into working memory. The outcome can be "complete control” over the application, denial of service, or remote code execution.

The company has also patched SAP Business One to fix the Apache vulnerability CVE-2017-7668. In this vulnerability, the Apache httpd 2.2.32 and 2.4.24 had a buffer overrun exploitable for denial-of-service.

There are three other high-rated vulnerabilities in the April fixes: two for Visual Composer 04s iviews (VCFRAMEWORK versions 7.00, 7.01 and 7.02 and VC70RUNTIME 7.30, 7.31, 7.40, 7.50), one of which is a code injection bug; and CVE-2018-2408 in SAP Business Objects, a session management bug that doesn't implement password changes properly.

As the Mitre advisory noted: “In case of password change for a user, all other active sessions created using [the] older password continues to be active.”

The April patch set also includes seven patches rated merely medium, including a Blaze DB vulnerability dating back to 2009.

The full April bug list is here. ®

Update: SAP has contacted The Register regarding one of the bugs:

"SAP Business Client is integrated with Chromium, an open source rendering engine of Google Chrome web browser. The new releases of Chromium contains security fixes and the SAP security note 2622660 is an outcome to update SAP customers on the vulnerability SAP Business Client inherited from third party web browser controls like Google Chromium. The vulnerabilities that are listed in SAP security note 2622660 are found in components delivered by Google.

Or in other words: Google was responsible to fix this vulnerability. We just rolled it out to our customers."

It provided the following reference links: Chromium 65; Chromium 64; and Chromium 63.