Germany-based enterprise software maker SAP has released patches for a total of 22 vulnerabilities as part of its August 2015 Security Patch Day.
In addition to providing fixes for 22 new vulnerabilities, SAP updated four previously released patches. According to the company, a majority of the fixed issues are cross-site scripting (XSS) and information disclosure flaws. SAP says15 of the 26 vulnerabilities have been classified “high severity”.
SAP has not made public any details on the patched flaws, but ERPScan, a company that specializes in protecting SAP and Oracle business-critical ERP systems, has shared some information on the most serious vulnerabilities.
ERPScan’s own researchers identified three of the SAP product vulnerabilities patched this month. The list includes XML External Entity (XXE) bugs in SAP Mobile Platform 2.3 and SAP NetWeaver Portal, and an XSS in SAP Afaria 7.
According to the security firm, there are four critical vulnerabilities that SAP customers should patch as soon as possible.
One of these critical issues, with a CVSS score of 8.5, is a remote code execution flaw in SAP ST-P that can be exploited by an attacker to compromise SAP servers and access the information stored on them. This can including source code, configuration files, critical system files, and business-related information, ERPScan said.
Another serious vulnerability affects the SAP NetWeaver AFP Servlet. The security hole, known as Reflected File Download (RFD), can be exploited to push malware onto victims’ devices by tricking them into clicking on a specially crafted link.
ERPScan warns SAP HANA users about two flaws. One of them can be exploited to terminate a process, which can lead to service disruptions, while the other bug is related to an incorrect system configuration that can allow an attacker to access internal HANA services without authentication.
These vulnerabilities have been patched by SAP with the 2037304, 2169391, 2175928 and 2165583 security notes.
SAP vulnerability advisories have also been published this week by business-critical application security firm Onapsis. The company released advisories detailing three SAP Mobile Platform DataVault flaws reported to SAP in November 2014 and addressed in April 2015.