Security

Make a SAP decision: Apply these security fixes if you're using German giant's software

11 patches ship on Patch Tuesday

By Richard Chirgwin

6 SHARE

While you were sighing your way through Microsoft's Patch Tuesday, enterprise vendor SAP slid 11 security advisories under your door.

Top of the list is a depressingly familiar howler in SAP Cloud Connector pre-version 2.11.3: the software neglects authentication checks for functions that require user identity (CVE-2019-0246). A related bug in Cloud Connector (the same versions), CVE-2019-0247, can be exploited to achieve remote code injection.

The German titan's systems management environment, SAP Landscape Management, is also on the critical list thanks to a sketchily described information disclosure bug, CVE-2019-0249.

Two other products suffered authentication slip-ups. The company's BW/4HANA data warehouse (CVE-2019-0243), and SAP Enterprise Financial Services (CVE-2018-2484), both have authentication blunders that can result in privilege escalation.

SAP Financial Consolidation Cube Designer could reveal password hashes (CVE-2018-2499), and the ABAP application server had an undefined information disclosure bug (CVE-2019-0248).

There are two denial-of-service bugs in the list: one in the company's Work and Inventory Manager (CVE-2019-0241), the other via crafted malicious links in Business Objects for Android (CVE-2019-0240).

Finally, there's one cross-site scripting bug patched in SAP Commerce (CVE-2019-0238) and two in the company's CRM Web Client UI (CVE-2019-0244 and CVE-2019-0245).

SAP's list of patches and notices is here. You should apply updates as soon as possible. ®

Sign up to our NewsletterGet IT in your inbox daily

6 Comments

Keep Reading

SAP and Microsoft pucker up, prepare for public cloud love under Project Embrace

New three-year agreement to pull S/4HANA customers into Azure

Microsoft uses its expertise in malware to help with fileless attack detection on Linux

Aw, how generous

SAP opens up certain online courses to locked-down tech learners

Free for 90 days as more and more people told to go into lockdown

Download this update from mybrowser.microsoft.com. Oh, sorry, that was malware on a hijacked sub-domain. Oops

Lax DNS leaves door wide open for miscreants to impersonate Windows giant on its own websites

7 years after hooking up, SAP gets much, much cosier with Ariba's supply chain and procure-to-pay software

ERP giant targets unified master data management and data model

Peak greenwashing: SAP backs oil and gas giants with Accenture partnership, eco-credentials go up in smoke

It will be carbon-neutral by 2025, whatever that eventually means

Hitting Microsoft's metal: SUSE flings Enterprise Linux at SAP HANA on Azure

SUSECON '19 Fancy a slice of SLES for SAP?

We surrender: SAP yields to customers, extends support for Business Suite 7 to 2027

Gives punters more time to move to S/4HANA because that's what everyone wants to do, right?

Customers in 'standoff' with SAP over 2025 end of support for Business Suite: Who'll blink first?

Users doubtful 5 years enough to get everyone moved in time

Former SAP CEO McDermott pockets a cool €15 million from final year at the helm of German ERP giant

How many expansive ERP projects would that buy? One? Two? Answers on a postcard

Tech Resources

A Step-by-Step Guide to Building a Scalable Vendor Onboarding Process

Vendors are at the heart of many companies’ processes and activities, and their numbers are increasing. In fact, according to a recent study by the Ponemon Institute, the average number of third parties employed by companies rose from 378 in 2016 to 588 in 2018.

Keeping a Security Mindset

Leaders and experts discuss ways you can bolster secure remote working through education and effective security measures

CrowdStrike Falcon Complete

Guidance for taking any organization to the highest level of endpoint protection regardless of internal resources.

Leading Your Team to DevOps Maturity

Rob Zuber, CircleCI CTO, brings an inspiring and practical guide to moving your team further up the DevOps maturity ladder, regardless of where you are now.