The company is preparing 11 patches to correct these flaws
Last Tuesday the SAP
business provider launched 11 different security alerts for its users.
According to cybersecurity and ethical hacking specialists from the
International Institute of Cyber Security, the company informed its customers
about the launch of a series of security patches to correct vulnerabilities
recently found in the data management system.
Heading the list of found vulnerabilities is a
2.11.3 version of SAP Cloud Connector that has been tracked as CVE-2019-0246. According to reports
from cybersecurity specialists, this software performs poor authentication for the
functions that require verifying the user’s identity. Exploiting a related
vulnerability (CVE-2019-0247) would allow remote code execution attack.
Then there is SAP Landscape Management, which
presents a critical information-leaking vulnerability (tracked as CVE-2019-0249).
Two SAP products presented additional authentication
errors — the SAP data store system and SAP Enterprise Financial Services. Both
vulnerabilities (CVE-2019-0243 and
CVE-2018-2484) are errors in the authentication process that could allow an
attacker to run a privilege escalation, as reported by several cybersecurity
experts.
On the other hand, the SAP Financial
Consolidation Cube Designer software presents a vulnerability that could reveal
password details (CVE-2018-2499),
and the ABAP application server would present information leaking without authorization
vulnerability (CVE-2019-0248).
Two denial-of-service (DDoS) vulnerabilities
were also found. The first of these flaws was found in SAP Work and Inventory
Management (CVE-2019-0241); the
second was found acting through malicious links specially crafted in the
Business Objects Tool for Android (CVE-2019-0240).
Finally, XSS vulnerability was found in SAP
Commerce (CVE-2019-0238) and two
others in the Enterprise CRM User Interface (CVE-2019-0244 and CVE-2019-0245).
Full details about these vulnerabilities can be
found on the SAP support page. The company’s customers are encouraged to update
their tools as soon as possible.
