SAP has released 16 security notifications for their July patch day, with one of the vulnerabilities considered critical. IT managers are advised to apply the updates promptly. The 16 security alerts include one critical vulnerability, six high-risk leaks, and nine medium-level vulnerabilities. Alongside these updates, SAP is also updating the Google Chrome web browser, which contained a critical vulnerability, and addressing a high-risk vulnerability in SAP UI5 Variant Management that was patched in June.
One of the critical vulnerabilities is found in SAP ECC and SAP S/4HANA (IS-OIL). Attackers with registered access can inject commands in the underlying operating system using an unprotected parameter in an installed extension. This vulnerability allows them to read or change system data or shut down the system. Another high-risk vulnerability is present in SAP Netweaver (BI CONT ADD ON), where non-administrative users can exploit a directory traversal vulnerability to overwrite system files and compromise the system.
The SAP Web Dispatcher also has a vulnerability that allows unauthenticated attackers to abuse it with manipulated requests in order to execute their own code on the back-end server and read or modify information. There is also a denial of service vulnerability in SAP SQL Anywhere, a potential memory violation in SAP Web Dispatcher, a server-side request forgery vulnerability in SAP Solution Manager (Diagnostic Agent), and a possible header injection vulnerability in SAP Solution Manager (Diagnostic Agent).
The medium severity threats include vulnerabilities in SAP NetWeaver Process Integration (Message Display Tool), SAP S/4HANA (Manage Journal Entry Template), SAP Enable Now, SAP NetWeaver AS ABAP and ABAP Platform, SAP BusinessObjects BI Platform (Enterprise), SAP NetWeaver AS for Java (Log Viewer), SAP ERP Defense Forces and Public Security, and SAP Business Warehouse and SAP BW/4HANA.
Further details and links to individual security notes can be found in the SAP patch day report. In the previous month’s patch day, SAP addressed eight new security vulnerabilities in their business software, with some being classified as high risk.
