SAP Security Notes Review: July 2019
SAP’s security patch day for July 2019 has seen the release of 11 SAP security notes with one High and one critical CVSS v3.0 Rating.
Five of the security notes this month relate to NetWeaver AS ABAP stacks. Two of these relating to UI5 HTML interface issues, one being general to all ABAP stacks, and two specific ones for HCM and PI. The two NetWeaver AS Java vulnerabilities affect all installations of AS Java, regardless of product. There has been one vulnerability found in each of the following products: Solution Manager 7.2, SAP Information Steward 4.2, SAP Commerce Cloud, And SAP BusinessObjects.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
Critical and High Vulnerabilities: July 2019 Highlights
SAP Solution Manager 7.2
One vulnerability rated as critical has been identified and corrected in SAP Solution Manager 7.2. Last month’s only highly rated vulnerability also related to SAP Solution Manager 7.2. This vulnerability relates to a code injection attack, where the application would execute that code. The solution is to patch the specified component. SAP Note 2808158 describes the problem and solution in more detail.
SAP NetWeaver Process Integration
The other vulnerability rated as high relates to SAP NetWeaver Process Integration of many releases. The effect of this enables an attacker the execution of OS commands with privileged rights. SAP Note 2774489 provides the fix for this issue.