SAP has released its Security Notes for July that includes 23 patches with the majority of them rated medium.
The most severe issue is a high-risk DoS vulnerability that affects SAP Point of Sale, a solution that has 500 billion installs, many of them used by retail companies from the Forbes Global 2000 list.
“On 11th of July 2017, SAP Security Patch Day saw the release of 10 security notes. Additionally, there were 2 updates to previously released security notes.” reads the advisory published by SAP.
“The high priority security note 2476601 released today addresses technical issues in SAP Point of Sale (POS) Retail Xpress Server with potential disclosure at upcoming security conferences. Therefore, we wish to remind you to apply all SAP Security Notes on a priority.”
Experts at security firm ERPScan found multiple missing authorization checks on the server side of SAP POS Suite. The flaws can be exploited by a remote unauthenticated attacker to:
“11 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 5 of all the Notes are updates to previously released Security Notes.” states the analysis published by ERPScan.
“4 of the released SAP Security Notes have a High priority rating. The highest CVSS score of the vulnerabilities is 8.1.”
Below are the details of the SAP vulnerability identified by the experts at the ERPScan team.
The most dangerous flaws in the SAP Security Notes July 2017 are:
ERPScan did not publish any technical detail to avoid public exploitation of the flaws in the wild.
Recommend that SAP customers install the patch as soon as possible.
(Security Affairs – SAP POS, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.