SAP has released the monthly critical patch update for April 2015. This patch update closes a lot of vulnerabilities in SAP products. Most of them are potential information disclosure vulnerabilities.
The most critical issues found by other researchers
Some of our readers and clients asked us to categorize the most critical issues to patch them first. So, the most critical issues of this update can be patched by the following SAP Notes:
2067830: SAP Web Dynpro Java has an Implementation Flaw (CVSS Base Score: 5.8). An attacker can upload a malicious file to a system when the virus scanner is not configured correctly. It is recommended to install this SAP Security Note to prevent risks.
2094830: SAP Sybase Unwired Platform Online Data Proxy has an Information Disclosure vulnerablity (CVSS Base Score: 4.7). An attacker can use Information Disclosure to learn additional information (system data, debugging information, etc.) which will help them plan other attacks. It is recommended to install this SAP Security Note to prevent risks.
2084037: SAP NetWeaver RFC SDK has an Information Disclosure vulnerability (CVSS Base Score: 4.3). An attacker can use Information Disclosure to learn additional information (system data, debugging information, etc.) which will help them plan other attacks. It is recommended to install this SAP Security Note to prevent risks.
SAP has traditionally issued acknowledgments to the security researchers on their website. Checks for the issues are already available in ERPScan Security Monitoring Suite.
Comments