Here's the report:
In its November Patch Day, SAP has released ten new and updated security notes, addressing a range of potential threats to the security of SAP applications. Among the contributors to these security notes was the Onapsis Research Labs (ORL).
One of the most critical updates is SAP Security Note #3520281, a High Priority Note with a CVSS score of 8.8. This note addresses a vulnerability in the SAP Web Dispatcher, where an unauthenticated attacker can publish a malicious link if the admin user interface has been activated. SAP provides three temporary workarounds for this issue: deleting specific files, changing profile parameters, and removing the administrator role from all users. It is important to note that the behavior of these options changes after applying the permanent patch, requiring reversal, reapplication of profile parameters, and non-reapplication of the administrator role.
Another critical update is SAP Security Note #3483344, a High Priority Note with a CVSS score of 7.7. This note addresses a Missing Authorization Check vulnerability in SAP Product Design Cost Estimating (SAP PDCE). A patch for software component SEM-BAP has been added to the original advisory, published in July.
SAP Security Note #3504390, also a Medium Priority Note, affects SAP NetWeaver Application Server for ABAP and ABAP Platform. This note is susceptible to a null pointer dereferencing that can be triggered by an unauthenticated attacker sending maliciously crafted HTTP requests. The SAP Security Team authored this note, along with two other Medium Priority Notes, including #3522953.
SAP Security Note #3522953 addresses an Information Disclosure vulnerability in the Software Update Manager (SUM) of an SAP NetWeaver Application Server Java, version 1.1. Under certain conditions, this vulnerability allows cleartext credentials to be written into a log file, which can be read by a non-administrative user with local access. The CVSS score for this note is 4.7.
The Onapsis Research Labs contributed to three Security Notes in November, including SAP Security Note #3504390 and #3522953.
SAP customers can expect even more from the ORL in the coming months. The company continues to work diligently to ensure the security of its applications and to protect its customers from potential threats. It is essential for SAP customers to stay up-to-date with the latest security notes and to apply the necessary patches to maintain the security of their systems.
Read also:
- Electric-powered vessels take to the waters of Maine
- Elon Musk accused by Sam Altman of exploiting X for personal gain
- Comparing the value of top electric scooters: Kinetic DX versus Bajaj Chetak versus TVS iQube - Which one offers the best bang for the buck?
- Tech tycoon Elon Musk alleges Apple is preferring OpenAI, sparking potential lawsuits contemplation
