#1243126: SAP Cyber Threat Intelligence report – January 2019

Description: The SAP threat landscape is always expanding thus putting organizations of all sizes and industries at risk of cyber attacks. The idea behind the monthly SAP Cyber Threat Intelligence report is to provide insight into the latest security vulnerabilities and threats.

The first set of SAP Security Notes of 2019 consists of 18 patches.
Two of the released SAP Security Notes were assessed at Hot News.
The most severe security issue was assessed at 9.3 (of 10) by CVSS base score.
This month, Cross-Site Scripting is the most common vulnerability type.
SAP NetWeaver ABAP platform has most of vulnerabilities fixed this month.

SAP has released the monthly critical patch update for January 2019. This patch update closes 18 SAP Security Notes (11 SAP Patch Day Notes and 7 Support Package Notes ). One of the patches is an update to previously released Security Notes.

Two of the released SAP Security Notes are Hot News with the highest CVSS base score of 9.3 and 9.1. Below is a chart that illustrates the SAP security notes distribution by priority.

As seen from the chart, there was a slight increase in the number of security notes compared to the previous two months. SAP continues patching Hot News issues.

This time, Cross-Site Scripting has become the largest group in terms of the number of vulnerabilities, and Implementation Flaw has taken second place.

61% (11) of all vulnerabilities belong to the SAP NetWeaver ABAP platform, as a pie chart shows:

The following SAP Security Notes can patch the most severe vulnerabilities of this update:

2696233: SAP Cloud Connector has several vulnerabilities (CVSS Base Score: 9.3 CVE-2019-0246, CVE-2019-0247). An attacker can use a missing authentication vulnerability to get access to service and read, modify or delete information. In addition, he or she could use administrative or privileged functionalities.
The attacker can also use an OS command execution vulnerability for unauthorized execution of operating system commands. Executed commands will run with same privileges of the service that executed a command. The hacker can access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.
Install this SAP Security Note to prevent the risks.
2727624: SAP Landscape Management has an Information Disclosure vulnerability (CVSS Base Score: 9.1 CVE-2019-0249). An attacker can use an Information disclosure vulnerability to reveal additional information (e.g., system data, debugging information, etc.) which will help to explore the system and plan other attacks.
Install this SAP Security Note to prevent the risks.
2724788: Adobe PDF Print Library has multiple vulnerabilities (CVSS Base Score: 7.3). Depending on a vulnerability, an implementation flaw can result in unpredictable behavior, isuues related to system stability and safety. Patches correct configuration errors, add new functionality and improve system stability.
Install this SAP Security Note to prevent the risks.
Advisories for all these SAP vulnerabilities with technical details will be available in three months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.
More info: https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-january-2019/

Date added Jan. 11, 2019, 9:42 a.m.
Source ERPScan
Subjects
  • Latest Global Security News
  • Surveys Results and Reports on IT Security