SAP released the September 2019 Security Patch that addressed four Security Notes rated as Hot News by the company, but only one of them is new.
SAP released 16 new or updated Security Notes, the overall number of Security Notes published this month is lower than in August.
The vulnerability affects the SAP default implementation of the HTTP PUT method, an attacker could exploit the flaw to bypass the input validation check.
“SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the
An attacker could upload dynamic web content and take over the application, possible impacts are the unauthorized execution of commands, the disclosure of sensitive information, trigger a Denial of Service condition.
Two other Hot
“A SolMan admin can abuse the Diagnostic Agent (SMDAgent) bug and gain access to any SAP system connected to the SolMan system.” reads the analysis published security firm Onapsis. “Even though many SolMan admins have admin privileges in other SAP systems, certain scenarios may allow an escalation of privileges to those who don’t,”.
The last Hot News note released in September 2019 Security Patch updates a patch released in April 2018 and addresses security issued that affect the browser control Google Chromium delivered with SAP Business Client.
SAP also released a set of security patches after the second Tuesday of last month and before the second Tuesday of this month.
The full list of Security Notes released by SAP is available here:
(SecurityAffairs – September 2019 Security Patch, security)