SAP released patches to mitigate 16 issues, including 13 rated at “high severity.”
The most common types of flaws patched this month are cross-site scripting (XSS), missing authorization check, and implementation flaws.
Four of the security holes, reported by ERPScan, include a directory traversal in SAP xMII (Manufacturing Integration and Intelligence), a solution designed to connect an organization’s business operations to systems on the plant floor. The flaw can end up exploited to access potentially sensitive information stored on the SAP server filesystem.
This SAP product has an important role in the operations of manufacturing, energy, oil and gas, and utility companies.
Vulnerabilities in xMII can end up leveraged in the first phase of a multi-stage attack whose goal is to give malicious actors control over plant devices and manufacturing systems, researchers said.
In the past, ERPScan researchers showed how attackers can target companies in the oil and gas sector using vulnerabilities in SAP xMII and other business applications that bridge operational and information technology networks.
ERPScan also reported three other new flaws patched by SAP, including a SQL injection in SAP Universal Description, Discovery and Integration (UDDI), an information disclosure issue in SAP Universal Worklist Configuration, and an XSS in SAP Java Proxy Runtime.
Three other newly patched vulnerabilities researchers classified as “critical.” One of them, with a CVSS score of 7.5, is an OS command execution flaw in SAP’s TREX search technology, ERPScan researchers said in a blog post.
Another serious weakness can end up leveraged for denial-of-service attacks. The flaw, found in the SAPSSOEXT library, can end up exploited to terminate a service, which could lead to system downtime and disruption of the business process.
ERPScan has also advised SAP customers to quickly apply the patch for an XSS vulnerability in HANA Extended Application Services SAPUI5.