SAP’s security patch day for September 2019 has seen the release of 12 SAP security notes with 1 High and 3 Critical CVSS v3.0 Rating.
One of these vulnerabilities applies to SAP GUI and the SAP Kernel, which will affect all customers.  One vulnerabilities relates to all AS Java installation, which means this and two other also apply to all Solution Manager 7.2 installations. Two of the security notes this month relate to Business Objects. Two were also found in the SAP HANA database platform. There has been one vulnerability found in SAP SRM SAP PI too, as well as two in SAP Business One.
Vulnerabilities: September 2019 Highlights
Update 1 to Security Note 2808158: [CVE-2019-0330] OS Command Injection vulnerability in SAP Diagnostics Agent
This update covers two of the notes this month. There was a vulnerability found which allows arbitrary code to be executed. The original correction didn’t cover all scenarios, so this note corrects these additional ones. The vulnerability was found in one of the core Solution Manager components, so this should be patches or the note applied as soon as possible.
Code Injection vulnerability in SAP NetWeaver AS for Java(Web Container)
Affecting the core of the Java Engine, this vulnerability is similar to the above where it allows arbitrary code to be executed. This will affect all users with a Java stack, and this will include Solution Manager. The most common use case of AS Java is as a SAP Portal. To correct this, patching of Java will be required.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
