Security

Make a SAP decision: Apply these security fixes if you're using German giant's software

11 patches ship on Patch Tuesday

By Richard Chirgwin

6 SHARE

While you were sighing your way through Microsoft's Patch Tuesday, enterprise vendor SAP slid 11 security advisories under your door.

Top of the list is a depressingly familiar howler in SAP Cloud Connector pre-version 2.11.3: the software neglects authentication checks for functions that require user identity (CVE-2019-0246). A related bug in Cloud Connector (the same versions), CVE-2019-0247, can be exploited to achieve remote code injection.

The German titan's systems management environment, SAP Landscape Management, is also on the critical list thanks to a sketchily described information disclosure bug, CVE-2019-0249.

Two other products suffered authentication slip-ups. The company's BW/4HANA data warehouse (CVE-2019-0243), and SAP Enterprise Financial Services (CVE-2018-2484), both have authentication blunders that can result in privilege escalation.

SAP Financial Consolidation Cube Designer could reveal password hashes (CVE-2018-2499), and the ABAP application server had an undefined information disclosure bug (CVE-2019-0248).

There are two denial-of-service bugs in the list: one in the company's Work and Inventory Manager (CVE-2019-0241), the other via crafted malicious links in Business Objects for Android (CVE-2019-0240).

Finally, there's one cross-site scripting bug patched in SAP Commerce (CVE-2019-0238) and two in the company's CRM Web Client UI (CVE-2019-0244 and CVE-2019-0245).

SAP's list of patches and notices is here. You should apply updates as soon as possible. ®

Sign up to our NewsletterGet IT in your inbox daily

6 Comments

More from The Register

SAP slaps down Teradata's 'trade secret' sueball with sick burn

ERP giant: You're just mad because you've 'fallen behind'

SAP and Microsoft pucker up, prepare for public cloud love under Project Embrace

New three-year agreement to pull S/4HANA customers into Azure

SAP can't thwack away Teradata's copyright infringement, antitrust sueball

But US firm must get specific on which trade secrets it claims were nicked – judge

Teradata lobs sueball at SAP, alleges HANA based on its 'trade secrets'

Claims German biz used ERP to 'lure' them into joint venture

Teradata decides: If you can't beat 'em, flog your analytics platform as a service in the cloud

It's a pay-as-you-go world

Hitting Microsoft's metal: SUSE flings Enterprise Linux at SAP HANA on Azure

SUSECON '19 Fancy a slice of SLES for SAP?

Customers in 'standoff' with SAP over 2025 end of support for Business Suite: Who'll blink first?

Users doubtful 5 years enough to get everyone moved in time

SAP bet the house on S/4HANA but most users aren't ready to move

More than half won't pull suitcase from the attic for at least two years

VoIP flinger Vonage taps former SAP chap to fill the gap in Apps

Golden boy to start new job next month

Microsoft crams Office 365 docs into Edge-style sandboxes to thwart malware infections

Ignite Your guide to some of the security enhancements announced this week

Whitepapers

Endpoint Protection Buyers Guide

According to the 2018 SANS Endpoint Security Survey, more than 80 percent of known breaches involve an endpoint.

Evolving Datacenters without Complexity

In this session, we’ll talk about how IT leaders are advancing the capabilities of their datacenters to rise to today’s challenges. Our guest speaker, Chris Bradford, Product Manager at DataStax will bring first-hand expertise to a discussion with The Register host Elena Perez.

Detecting cyber attacks as a small to medium business

If security by obscurity is no longer an option, and inaction is a risk in itself, what can smaller enterprises do to protect themselves? Endpoint Detection and Response (EDR) solutions can go a long way towards minimising the level of threat, but they need to be chosen and used in the right way.

Security Advisory: Is Your Enterprise Data Being "Phoned Home"?

This report provides four real-world examples of vendors “phoning home” data in an unauthorized manner, observed by ExtraHop customers in 2018 and the first weeks of 2019.