This week SAP addressed 13 vulnerabilities in its products with the released of the February 2019 set of security fixes, including a Hot News flaw in SAP HANA Extended Application Services (XSA), advanced model.
SAP Security Patch Day for February 2019 includes 13 Security Notes and 3 updates to previously released security notes. 2 Notes are rated Hot News, 4 rated High priority, and 10 rated Medium priority.
“On 12th of February 2019, SAP Security Patch Day saw the release of 13 Security Notes. Additionally, there were 3 updates to previously released security notes.” reads the advisory published by SAP.
The fixes address
The most severe issue is a Hot News Notes (CVSS score of 9.8) that updates a Security Note released on April 2018 Patch Day and that includes security updates for the browser control Chromium delivered with SAP Business Client.
“As mentioned, one of the two SAP Security Notes tagged as HotNews (#2742027) affects SAP HANA XSA (the other one is #2622660 that is regularly updated with Chromium security updates and was explained in a previous blog post). It is a classic Missing Authorization Check that may allow an attacker not only to
“It affects XS Advanced selected versions in both SAP HANA 1 and SAP HANA 2 and can be patched by upgrading the XS Advanced component.”
The security updates include a Hot News Note for HANA XSA that addresses a missing authentication check that could be exploited by an attacker to gain access to high-privileged functionalities, including the ability to be able to
The security vulnerability affects XS Advanced selected versions in SAP HANA 1 and SAP HANA 2.
To address the flaw, customers should upgrade the XS Advanced component. SAP also provided a workaround that consists of disabling the component, if not in use.
The SAP Security Patch Day for February 2019 also addressed another issue in SAP HANA XSA that could lead Information Disclosure, it was rated Medium severity (CVSS score of 6.8).
SAP addressed several High priority Security Notes including an XML External Entity (XXE) vulnerability in SLD Registration of ABAP Platform, Missing Authorization
SAP also issued an update to a security note released on November 2014 Patch Day, a potential information disclosure relating to database server file system.
Below there is a summary, published by Onapsis, of the type of vulnerabilities that were addressed in February, including another six that were published in late January, after that month’s Security Notes Patch Day.
(SecurityAffairs – SAP HANA, security)