Today, SAP released their monthly security notes. This month, there are 23 new SAP notes that contain new switchable authorization checks in RFC, and 7 SAP notes for missing authorization checks. This month’s security notes also includes 29 note updates from previously published security notes.
In today’s evolving IT landscape, companies are constantly planning their next steps when it comes to business-critical application security. Specifically, they are planning these steps around their SAP environment which supports core business processes for some of the world’s largest organizations. When it comes to migrating SAP solutions to the cloud, different roadmaps are regularly being assembled and developed in order to properly transfer solutions that were traditionally supported by on premise SAP systems to a diverse range of cloud offerings provided by SAP.
Today, the Onapsis Research Labs released 14 advisories for SAP and 6 for Oracle E-Business Suite. All of the SAP advisories pertain to SAP NetWeaver - the technical integration platform on top of which enterprise and business solutions are developed and run. Half of these advisories for SAP NetWeaver relate to remote command execution vulnerabilities, which will be explained later in this post. On the Oracle side, all six advisories relate to cross-site scripting (XSS) attacks on the core business application Oracle E-Business Suite.
Today is the second Tuesday of September, which means that SAP has released their monthly batch of Security Notes. SAP published 21 SAP Security Notes this month (6 Notes were published after August the 8th, and did not have any Hot News items. Only four Notes this month were considered to be ‘high priority’ (16 were Medium and 1 was Low).
Two of the four ‘high priority’ SAP Security Notes are related to the product SAP Adaptive Server Enterprise (SAP ASE - http://go.sap.com/product/data-mgmt/sybase-ase.html):