SAP Security Notes August 2018, watch out for SQL Injection

“Two of these High Priority notes concern vulnerabilities reported by Onapsis Research Labs: one fixes two SQL Injection vulnerabilities in SAP BusinessObjects. Basically, an attacker with a low privileges session can inject data and extract information that he should not be able to. The other vulnerability fixes two bugs found in SAP HANA XSA.” reads the blog post published by Onapsis.

“Another High Priority Note reported by the Onapsis Research Labs, #2644154, is tagged with a CVSS v3 base score: 7.7/10. It fixes two SQL-injection (SQLi) vulnerabilities found in SAP BusinessObjects (BOBJ) by Onapsis researcher Gaston Traberg. The issues were found in the frontend webserver of the Central Management Console (CMC). One of these SQLi is a blind boolean-based SQLi, and the other a regular SQLi vulnerability.”

ERPScan focused the analysis on most serious vulnerabilities all rated as “high severity,” including the two SQL injection flaws found by Onapsis in BusinessObjects (CVE-2018-2447).

“An attacker can use [CVE-2018-2449] vulnerability to access a service without any authorization procedures and to use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation, and other attacks,” states ERPScan.

“An attacker can use [CVE-2018-2447] vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information in a database, execute administration operations, destroy data or make it unavailable. In some cases, the hacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks”

Pierluigi Paganini

(Security Affairs – SAP, Security Notes)

[adrotate banner=”5″]

[adrotate banner=”13″]