Today, the Onapsis Research Labs released 14 advisories for SAP and 6 for Oracle E-Business Suite. All of the SAP advisories pertain to SAP NetWeaver - the technical integration platform on top of which enterprise and business solutions are developed and run. Half of these advisories for SAP NetWeaver relate to remote command execution vulnerabilities, which will be explained later in this post. On the Oracle side, all six advisories relate to cross-site scripting (XSS) attacks on the core business application Oracle E-Business Suite.
Today is the second Tuesday of September, which means that SAP has released their monthly batch of Security Notes. SAP published 21 SAP Security Notes this month (6 Notes were published after August the 8th, and did not have any Hot News items. Only four Notes this month were considered to be ‘high priority’ (16 were Medium and 1 was Low).
Two of the four ‘high priority’ SAP Security Notes are related to the product SAP Adaptive Server Enterprise (SAP ASE - http://go.sap.com/product/data-mgmt/sybase-ase.html):
Today, SAP released their latest batch of monthly Security Notes. Despite this month not being specifically critical, Denial of Service attacks are a central point of concern. A Denial of Service (DoS) attack intends to make one or more resource unavailable. In the case of SAP, DoS attacks could be a partial and affect only a specific program or database, or they could be complete, taking all SAP infrastructure offline.
Today we have released 12 new Oracle application advisories which affect two different products: Oracle E-Business Suite and JD Edwards. The advisories include various types of vulnerabilities such as Cross Site Scripting, Denial of Service, Password Disclosure and User Creation. After great success uncovering hundreds of vulnerabilities in SAP systems, our Research Labs are expanding our security advisories to now include Oracle products.