Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

SAP security fixes address Critical flaw in SAP HANA XSA

SAP released a collection of security fixes for February 2019 that address 13 vulnerabilities in its products, including a Hot News flaw in SAP HANA XSA. This week SAP addressed 13 vulnerabilities in its products with the released of the February 2019 set of security fixes, including a Hot News flaw in SAP HANA Extended […]

SAP HANA february

SAP released a collection of security fixes for February 2019 that address 13 vulnerabilities in its products, including a Hot News flaw in SAP HANA XSA.

This week SAP addressed 13 vulnerabilities in its products with the released of the February 2019 set of security fixes, including a Hot News flaw in SAP HANA Extended Application Services (XSA), advanced model.

SAP Security Patch Day for February 2019 includes 13 Security Notes and 3 updates to previously released security notes. 2 Notes are rated Hot News, 4 rated High priority, and 10 rated Medium priority.

“On 12th of February 2019, SAP Security Patch Day saw the release of 13 Security Notes. Additionally, there were 3 updates to previously released security notes.” reads the advisory published by SAP.

The fixes address flaw in the following SAP products: Business Client, HANA XSA, ABAP Platform (SLD Registration), Disclosure Management, Solution Tools Plug-In (ST-PI), Note Assistant, Business Objects, Manufacturing Integration and Intelligence, Business One Mobile Android App, and WebIntelligence BILaunchPad (Enterprise).

The most severe issue is a Hot News Notes (CVSS score of 9.8) that updates a Security Note released on April 2018 Patch Day and that includes security updates for the browser control Chromium delivered with SAP Business Client. 

“As mentioned, one of the two SAP Security Notes tagged as HotNews (#2742027) affects SAP HANA XSA (the other one is #2622660 that is regularly updated with Chromium security updates and was explained in a previous blog post). It is a classic Missing Authorization Check that may allow an attacker not only to read/modify/delete sensitive information, but also to gain high-privileged functionalities.” reads the analysis published by Onapsys.

“It affects XS Advanced selected versions in both SAP HANA 1 and SAP HANA 2 and can be patched by upgrading the XS Advanced component.”

The security updates include a Hot News Note for HANA XSA that addresses a missing authentication check that could be exploited by an attacker to gain access to high-privileged functionalities, including the ability to be able to read, modify, or delete sensitive information. 

The security vulnerability affects XS Advanced selected versions in SAP HANA 1 and SAP HANA 2.

To address the flaw, customers should upgrade the XS Advanced component. SAP also provided a workaround that consists of disabling the component, if not in use. 

The SAP Security Patch Day for February 2019 also addressed another issue in SAP HANA XSA that could lead Information Disclosure, it was rated Medium severity (CVSS score of 6.8). 

SAP addressed several High priority Security Notes including an XML External Entity (XXE) vulnerability in SLD Registration of ABAP Platform, Missing Authorization check in Disclosure Management, and access to Easy Access Menu in ABAP Platform. 

SAP also issued an update to a security note released on November 2014 Patch Day, a potential information disclosure relating to database server file system.

Below there is a summary, published by Onapsis, of the type of vulnerabilities that were addressed in February, including another six that were published in late January, after that month’s Security Notes Patch Day.

SAP HANA february
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SAP HANA, security)

[adrotate banner=”5″] [adrotate banner=”13″]