SAP Patches Critical Vulnerability in HANA XSA
SAP this week released its February 2019 set of security fixes, to address over a dozen vulnerabilities across its product portfolio, including a Hot News flaw in SAP HANA Extended Application Services, advanced model.
A total of 13 Security Notes were issued as part of this month’s SAP Security Patch Day, along with 3 updates to previously released security notes. Of these, 2 Notes are rated Hot News, 4 rated High priority, and 10 considered Medium priority.
Affected SAP products this month include Business Client, HANA XSA, ABAP Platform (SLD Registration), Disclosure Management, Solution Tools Plug-In (ST-PI), Note Assistant, Business Objects, Manufacturing Integration and Intelligence, Business One Mobile Android App, and WebIntelligence BILaunchPad (Enterprise).
The first of the Hot News Notes (CVSS score of 9.8) is an update to a Security Note released on April 2018 Patch Day and includes security updates for the browser control Chromium delivered with SAP Business Client.
Featuring a CVSS score of 9.4, the Hot News Note for HANA XSA addresses a missing authentication check that could allow an attacker to gain access to high-privileged functionalities, in addition to being able to read, modify, or delete sensitive information.
The security flaw impacts XS Advanced selected versions in both SAP HANA 1 and SAP HANA 2, Onapsis, a company specialized in securing Oracle and SAP applications, says.
Affected customers should upgrade the XS Advanced component. If that is not possible in the short term, a workaround to prevent attacks is available, relying on disabling the affected component if not in use.
Another vulnerability addressed in HANA XSA this month was a potential Information Disclosure rated Medium severity (CVSS score of 6.8).
The High priority Security Notes in this month’s SAP Security Patch Day include an XML External Entity (XXE) vulnerability in SLD Registration of ABAP Platform, Missing Authorization check in Disclosure Management, and access to Easy Access Menu in ABAP Platform.
Additionally, SAP issued an update to a security note released on November 2014 Patch Day, a potential information disclosure relating to database server file system. Successful exploitation could lead to an attacker accessing information stored in files on the operating system level on the database server.
This month, SAP also addressed Cross-Site Scripting (XSS) flaws, an Unrestricted File Upload vulnerability, a cross site request forgery, and a Directory Traversal vulnerability.