Security

Make a SAP decision: Apply these security fixes if you're using German giant's software

11 patches ship on Patch Tuesday

By Richard Chirgwin

6 SHARE

While you were sighing your way through Microsoft's Patch Tuesday, enterprise vendor SAP slid 11 security advisories under your door.

Top of the list is a depressingly familiar howler in SAP Cloud Connector pre-version 2.11.3: the software neglects authentication checks for functions that require user identity (CVE-2019-0246). A related bug in Cloud Connector (the same versions), CVE-2019-0247, can be exploited to achieve remote code injection.

The German titan's systems management environment, SAP Landscape Management, is also on the critical list thanks to a sketchily described information disclosure bug, CVE-2019-0249.

Two other products suffered authentication slip-ups. The company's BW/4HANA data warehouse (CVE-2019-0243), and SAP Enterprise Financial Services (CVE-2018-2484), both have authentication blunders that can result in privilege escalation.

SAP Financial Consolidation Cube Designer could reveal password hashes (CVE-2018-2499), and the ABAP application server had an undefined information disclosure bug (CVE-2019-0248).

There are two denial-of-service bugs in the list: one in the company's Work and Inventory Manager (CVE-2019-0241), the other via crafted malicious links in Business Objects for Android (CVE-2019-0240).

Finally, there's one cross-site scripting bug patched in SAP Commerce (CVE-2019-0238) and two in the company's CRM Web Client UI (CVE-2019-0244 and CVE-2019-0245).

SAP's list of patches and notices is here. You should apply updates as soon as possible. ®

Sign up to our NewsletterGet IT in your inbox daily

6 Comments

More from The Register

SAP slaps down Teradata's 'trade secret' sueball with sick burn

ERP giant: You're just mad because you've 'fallen behind'

SAP can't thwack away Teradata's copyright infringement, antitrust sueball

But US firm must get specific on which trade secrets it claims were nicked – judge

Teradata lobs sueball at SAP, alleges HANA based on its 'trade secrets'

Claims German biz used ERP to 'lure' them into joint venture

Teradata decides: If you can't beat 'em, flog your analytics platform as a service in the cloud

It's a pay-as-you-go world

Hitting Microsoft's metal: SUSE flings Enterprise Linux at SAP HANA on Azure

SUSECON '19 Fancy a slice of SLES for SAP?

Meet the Great Duke of... DLL: Microsoft shines light on Astaroth, a devilishly sneaky strain of fileless malware

DLL or no DLL?

It is with a heavy heart that we must report that your software has bugs and needs patching: Microsoft, Adobe, SAP, Intel emit security fixes

Patch Tuesday And Google drops a zero-day on Windows after deadline miss

Take a dip in our joint data lake, 'seamlessly' hoover up intel on customers – Microsoft, SAP and Adobe

Tech trio put Accenture, EY, WPP on advisory council for 'Open Data Initiative'

Licence to chill: Shrinking data warehouse biz Teradata hires insider CEO

The subscriber you have dialled is no longer available...

SAP plugs IoT into Leonardo toolkit to woo big money industries

MWC Cloud-to-cloud interoperability with Microsoft, more vendors to come