SAP has recently published a security report on 19 vulnerabilities in various products on Patchday in March. What’s unusual this time is that the software developers have not updated any security notes from previous Patchday messages with new information.
The company’s developers rate five out of 19 security gaps as critical, four vulnerabilities pose high risks, and ten leaks pose a medium threat level.
Code can be injected into the SAP Business Objects Business Intelligence Platform (CMC) and executed with privileged rights, which creates vulnerability.
Attackers can access SAP NetWeaver AS for Java without prior login, highlighting ineffective authentication checks.
A vulnerability in SAPRSBRO program of SAP ERP and S4HANA allowed malicious actors to overwrite system files. There is also a vulnerability in SAP Business Objects Business Intelligence Platform, allowing logged-in users to execute Unix commands remotely.
High risk vulnerabilities are found in SAP Solution Manager and ABAP Managed Systems (ST-PI), SAP NetWeaver AS for ABAP and ABAP Platform, and SAPOSCOL. The vulnerabilities that developers consider medium risk affect various SAP products.
IT managers should download and install the available updates quickly to reduce the attack surface for cyber criminals. SAP had addressed 21 vulnerabilities and released updates to patch the leaks by the February patch day.
