SAP issues 27 Security Notes, including 14 Patch Day Notes and 13 Support Package Notes. Seven notes are related to previously published patches.
“On 14th of August 2018, SAP Security Patch Day saw the release of 12 Security Notes. Additionally, there were 2 updates to previously released security notes.” reads the advisory published by SAP.
Principal type of vulnerabilities fixed by SAP security notes are SQL Injection and Information Disclosure flaws as reported in the following graph.
According to the experts from ERPScan, in August Implementation Flaw and Missing Authorization Check are the largest groups in terms of the number of vulnerabilities
SAP addressed nine high severity flaws, including two SQL injection vulnerabilities in SAP BusinessObjects that could be exploied by an attacker to extract information from vulnerable system.
“Two of these High Priority notes concern vulnerabilities reported by Onapsis Research Labs: one fixes two SQL Injection vulnerabilities in SAP BusinessObjects. Basically, an attacker with a low privileges session can inject data and extract information that he should not be able to. The other vulnerability fixes two bugs found in SAP HANA XSA.” reads the blog post published by Onapsis.
“Another High Priority Note reported by the Onapsis Research Labs, #2644154, is tagged with a CVSS v3 base score: 7.7/10. It fixes two SQL-injection (SQLi) vulnerabilities found in SAP BusinessObjects (BOBJ) by Onapsis researcher Gaston Traberg. The issues were found in the frontend webserver of the Central Management Console (CMC). One of these SQLi is a blind boolean-based SQLi, and the other a regular SQLi vulnerability.”
ERPScan focused the analysis on most serious vulnerabilities all rated as “high severity,” including the two SQL injection flaws found by Onapsis in BusinessObjects (CVE-2018-2447).
“An attacker can use [CVE-2018-2449] vulnerability to access a service without any authorization procedures and to use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks,” states ERPScan.
“An attacker can use [CVE-2018-2447] vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information in a database, execute administration operations, destroy data or make it unavailable. In some cases, the hacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks”