Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

SAP October 2018 set of patches fixes first Hot News security note for SAP BusinessObjects in 5 years

SAP released its October 2018 set of patches, it includes the first Hot News security note for SAP BusinessObjects in over five years. SAP released its October 2018 set of patches that included 11 security notes, the company also released 4 updates to previously released notes. The patches include 15 notes, 2 rated Hot News and one of […]

SAP

SAP released its October 2018 set of patches, it includes the first Hot News security note for SAP BusinessObjects in over five years.

SAP released its October 2018 set of patches that included 11 security notes, the company also released 4 updates to previously released notes.

The patches include 15 notes, 2 rated Hot News and one of which is the first note for SAP BusinessObjects in over five years.

“SAP BusinessObjects BI Suite has an Information Disclosure vulnerability (CVSS Base Score: 9.8 CVE-2018-2471). An attacker can use it to reveal additional information (system data, debugging information, etc.) that will help to learn about a system and plan other attacks.” reads a blog post published by ERPScan.

The remaining notes include 4 High priority and 9 Medium priority, in October Information Disclosure is the largest group in terms of the number of vulnerabilities.

businessObjects sap-notes-october-2018-types-1

The most important note (CVSS score of 9.8) addresses an information disclosure issue in the SAP BusinessObjects Business Intelligence Suite client tracked as CVE-2018-2471.

“Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 allows an attacker to access information which would otherwise be restricted.” reads the security advisory.

The second Hot News in the October 2018 set of patches is an update to Security Note released on April 2018, it provides security updates for the Chromium browser delivered with SAP Business Client.

The High priority flaws addressed by SAP in October are:

2699726 [CVE-2018-2475Missing network isolation in Gardener 
Product – project “Gardener”; Versions – 0.12.2
High 8.5
2674215 Denial of service (DOS) in OPC UA applications of SAP Plant Connectivity 
Related CVEs – CVE-2018-12585CVE-2018-12086
Product – SAP Plant Connectivity; Versions – 15.0, 15.1, 15.2
High 8.2
2392860 Update to Security Note released on February 2017 Patch Day:
Leveraging privileges by customer transaction code

Product – SAP Records Management; Versions – 7.0 to 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51
High 8.0
2681207 Update to Security Note released on September 2018 Patch Day: 
[CVE-2018-2465Missing XML Validation vulnerability in SAP HANA, Extended Application Services classic model
Product – SAP HANA; Versions – 1.0, 2.0
High 7.5

Experts from security firm ERPScan noticed that chaining the missing network isolation in Gardener theoretically can lead to compromise of clusters in the application context

The others SAP security notes address vulnerabilities in in Netweaver Application Server for ABAP (CVE-2018-2470), BusinessObjects (CVE-2018-2472, CVE-2018-2467), Data Services (CVE-2018-2466), Plant Connectivity (CVE-2017-12069), Adaptive Server Enterprise (CVE-2018-2469, CVE-2018-2468), and Fiori (CVE-2018-2474).

This patch update also addresses 5 Support Package Notes.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – BusinessObjects, SAP)

[adrotate banner=”5″]

[adrotate banner=”13″]