Security

Make a SAP decision: Apply these security fixes if you're using German giant's software

11 patches ship on Patch Tuesday

By Richard Chirgwin

6 SHARE

While you were sighing your way through Microsoft's Patch Tuesday, enterprise vendor SAP slid 11 security advisories under your door.

Top of the list is a depressingly familiar howler in SAP Cloud Connector pre-version 2.11.3: the software neglects authentication checks for functions that require user identity (CVE-2019-0246). A related bug in Cloud Connector (the same versions), CVE-2019-0247, can be exploited to achieve remote code injection.

The German titan's systems management environment, SAP Landscape Management, is also on the critical list thanks to a sketchily described information disclosure bug, CVE-2019-0249.

Two other products suffered authentication slip-ups. The company's BW/4HANA data warehouse (CVE-2019-0243), and SAP Enterprise Financial Services (CVE-2018-2484), both have authentication blunders that can result in privilege escalation.

SAP Financial Consolidation Cube Designer could reveal password hashes (CVE-2018-2499), and the ABAP application server had an undefined information disclosure bug (CVE-2019-0248).

There are two denial-of-service bugs in the list: one in the company's Work and Inventory Manager (CVE-2019-0241), the other via crafted malicious links in Business Objects for Android (CVE-2019-0240).

Finally, there's one cross-site scripting bug patched in SAP Commerce (CVE-2019-0238) and two in the company's CRM Web Client UI (CVE-2019-0244 and CVE-2019-0245).

SAP's list of patches and notices is here. You should apply updates as soon as possible. ®

Sign up to our NewsletterGet IT in your inbox daily

6 Comments

More from The Register

Hitting Microsoft's metal: SUSE flings Enterprise Linux at SAP HANA on Azure

SUSECON '19 Fancy a slice of SLES for SAP?

Meet the Great Duke of... DLL: Microsoft shines light on Astaroth, a devilishly sneaky strain of fileless malware

DLL or no DLL?

It is with a heavy heart that we must report that your software has bugs and needs patching: Microsoft, Adobe, SAP, Intel emit security fixes

Patch Tuesday And Google drops a zero-day on Windows after deadline miss

Take a dip in our joint data lake, 'seamlessly' hoover up intel on customers – Microsoft, SAP and Adobe

Tech trio put Accenture, EY, WPP on advisory council for 'Open Data Initiative'

SAP plugs IoT into Leonardo toolkit to woo big money industries

MWC Cloud-to-cloud interoperability with Microsoft, more vendors to come

App-happy SAP Santa offers partners free access to Cloud Platform

All the better to lock customers into its fluffy white services

SAP 404s sap.com blog post that said it's fallen behind on SaaS subs

Partner-penned post said SAP might be as good as Google or IBM ... one day

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

SAP's Business Client can own entire apps, DDOS them into dust

And that's the worst of ten patches awaiting lucky, lucky SAP admins

What's in the container, Cisco? A nice, plump SAP Data Hub

One Kubernetes to rule them all