SAP September 2019 Security Patch Day addresses four Security Notes rated as Hot News

SAP released the September 2019 Security Patch that addressed four Security Notes rated as Hot News by the company.

SAP released the September 2019 Security Patch that addressed four Security Notes rated as Hot News by the company, but only one of them is new.

SAP released 16 new or updated Security Notes, the overall number of Security Notes published this month is lower than in August.

The new Security Note addresses a code injection vulnerability in SAP NetWeaver AS for Java (Web Container). The issue, tracked as CVE-2019-0355, received a CVSS score of 9.1.

The vulnerability affects the SAP default implementation of the HTTP PUT method, an attacker could exploit the flaw to bypass the input validation check.

“SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application.” reads the security advisory.

An attacker could upload dynamic web content and take over the application, possible impacts are the unauthorized execution of commands, the disclosure of sensitive information, trigger a Denial of Service condition.

Two other Hot News notes update patches released in the past, they address an OS command injection vulnerability in SAP Diagnostics Agent (CVE-2019-0330).

“A SolMan admin can abuse the Diagnostic Agent (SMDAgent) bug and gain access to any SAP system connected to the SolMan system.” reads the analysis published security firm Onapsis. “Even though many SolMan admins have admin privileges in other SAP systems, certain scenarios may allow an escalation of privileges to those who don’t,”.

The last Hot News note released in September 2019 Security Patch updates a patch released in April 2018 and addresses security issued that affect the browser control Google Chromium delivered with SAP Business Client.

SAP also released a set of security patches after the second Tuesday of last month and before the second Tuesday of this month.

The full list of Security Notes released by SAP is available here:

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – September 2019 Security Patch, security)

[adrotate banner=”5″]

[adrotate banner=”13″]