The most common flaw types are Cross-Site Scripting and Remote Command Execution, followed by implementation flaws and information disclosure.
“It seems that the downward trend in the number of monthly notes is continuing. This month, a total of 14 security notes has been released, with only seven notes published today. Seven notes in total (50%) are tagged as High Priority or Hot News.” reads the post published by Onapsis.
The two Hot News Security Notes received CVSS scores of 9.8 and 9.1, respectively, they affect SAP Business Client (version 6.5) and SAP BASIS (versions 7.31, 7.40, 7.50, 7.51, 7.65, 7.66).
The first update is related to a Security Note released on April 2018 Patch Day, it addresses third-party web browser controls delivered with SAP Business Client, while the latter is an update for a Note released on November 2016 Patch Day that addresses an OS command injection vulnerability in the Report for Terminology Export component.
SAP June 2018 Security Patch Day also addresses four High severity vulnerabilities and four Medium risk flaws.
“On 12th of June 2018, SAP Security Patch Day saw the release of 5 Security Notes. Additionally, there were 5 updates to previously released security notes.” states the SAP’s advisory.
The most severe high-risk flaw is an information disclosure vulnerability tracked as CVE-2018-2425 affects the SAP Business One- The flaw resides in the Business One version for the SAP HANA backup service and could be exploited by an attacker to access restricted information.
“[CVE-2018-2425] Information Disclosure in SAP Business One for SAP HANA Backup Service (#2588475): Business One is SAP’s more lightweight ERP system designed for small to medium-sized businesses. The vulnerability discussed in the note exists in the Business One version for SAP HANA, more specifically in its backup service.” continues the analysis published by Onapsis.
“The note does not contain many details, but mentions the vulnerability allows an attacker to access information which would otherwise be restricted. It does seem the sensitive information exists in the backup service logs. The fix implies updating your Business One component software.”
The SAP June 2018 Security Patch Day also addresses a remote command execution flaw tracked as CVE-2015-0899 that affects SAP Internet Sales and DoS issue tracked as CVE-2014-0050 that affects SAP Internet Sales.
SAP also addressed the CVE-2018-2408 flaw described as an improper session management bug in SAP Business Objects.
(Security Affairs – SAP June 2018 Security Patch Day, Security)