Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Make a SAP decision: Apply these security fixes if you're using German giant's software

11 patches ship on Patch Tuesday

Richard Chirgwin Wed 9 Jan 2019  //  00:58 UTC

While you were sighing your way through Microsoft's Patch Tuesday, enterprise vendor SAP slid 11 security advisories under your door.

Top of the list is a depressingly familiar howler in SAP Cloud Connector pre-version 2.11.3: the software neglects authentication checks for functions that require user identity (CVE-2019-0246). A related bug in Cloud Connector (the same versions), CVE-2019-0247, can be exploited to achieve remote code injection.

The German titan's systems management environment, SAP Landscape Management, is also on the critical list thanks to a sketchily described information disclosure bug, CVE-2019-0249.

Two other products suffered authentication slip-ups. The company's BW/4HANA data warehouse (CVE-2019-0243), and SAP Enterprise Financial Services (CVE-2018-2484), both have authentication blunders that can result in privilege escalation.

SAP Financial Consolidation Cube Designer could reveal password hashes (CVE-2018-2499), and the ABAP application server had an undefined information disclosure bug (CVE-2019-0248).

There are two denial-of-service bugs in the list: one in the company's Work and Inventory Manager (CVE-2019-0241), the other via crafted malicious links in Business Objects for Android (CVE-2019-0240).

Finally, there's one cross-site scripting bug patched in SAP Commerce (CVE-2019-0238) and two in the company's CRM Web Client UI (CVE-2019-0244 and CVE-2019-0245).

SAP's list of patches and notices is here. You should apply updates as soon as possible. ®
Send us news
6 Comments

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Plus: Adobe, SAP, Fortinet, VMware, Cisco issue pressing updates

Delinea Secret Server customers should apply latest patches

Attackers could nab an org's most sensitive keys if left unaddressed

SAP cloud swells its topline, but profits slide

Cloud migration good for margins, CEO says

North American S/4HANA migrations ramping among SAP users

Skills access still an issue for organizations hoping to beat the 2027 ECC support deadline

UK county council misses deadline for £7.3M RISE with SAP system launch

Gloucestershire reluctant to set new date in S/4HANA migration saga

SAP transformation program a 'euphemism' for job cuts, claims European Works Council

8,000 roles affected worldwide, but Germany will bear heaviest losses

CISA in a flap as Chirp smart door locks can be trivially unlocked remotely

Hard-coded credentials last thing you want in home security app

Exploit code for Palo Alto Networks zero-day now public

Race on to patch as researchers warn of mass exploitation of directory traversal bug

Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib

BatBadBut hits Erlang, Go, Python, Ruby as well

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Hotel check-in terminal bug spews out access codes for guest rooms

Attacks could be completed in seconds, compromising customer safety

Ivanti commits to secure-by-design overhaul after vulnerability nightmare

CEO addresses whirlwind start to 2024 and how it plans to prevent a repeat