Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

SAP Security Patch Day for May 2019 fixes many missing authorization checks

SAP released SAP Security Patch Day for May 2019 that includes 8 Security Notes, 5 of which are updates to previously released Notes. Five Security Notes included in SAP Security Patch Day for May 2019 addressed missing authorization checks in SAP products, including Treasury and Risk Management, Solution Manager and ABAP managed systems, dbpool administration, […]

SAP Security Patch Day May 2019

SAP released SAP Security Patch Day for May 2019 that includes 8 Security Notes, 5 of which are updates to previously released Notes.

Five Security Notes included in SAP Security Patch Day for May 2019 addressed missing authorization checks in SAP products, including Treasury and Risk Management, Solution Manager and ABAP managed systems, dbpool administration, and Enterprise Financial Services. 

“Today, being the second Tuesday of the month, SAP released May’s Security Notes. This month, there are no critical or Hot News notes published, but there are three High Priority Notes, as well as two other SAP Security Notes affecting SAP Solution Manager (reported by the Onapsis Research Labs).” reads a blog post published by SAP security firm Onapsis. “This month, 50% of the patches are Missing Authorization Checks, which is higher than the average 15%. Even though this is one of the most common vulnerabilities in SAP software.”

SAP Security Patch Day May 2019

SAP also released five Security Notes to address information disclosure vulnerabilities in several products, including BusinessObjects and Solution Manager. 

The Security Note is related to a privilege escalation issue (CVE-2019-0301) in SAP Identity Management REST Interface Version, this is the only Note rated as High priority, while the remaining 12 are rated Medium.

“Under certain conditions, it is possible to request the modification of role or privilege assignments through SAP Identity Management REST Interface Version 2, which would otherwise be restricted only for viewing.” reads the security advisory for the CVE-2019-0301.

This is the most severe flaw, it received a CVSS score of 8.4.

Two flaws received a CVSS score of 6.3, they are an information disclosure in BusinessObjects business intelligence platform (CVE-2019-0287), and a missing authorization check in Treasury and Risk Management (CVE-2019-0280).

SAP published updates for Security Notes released in October 2009, September 2010, December 2010, and March 2013.

“A total of 11 Security Notes were published in May and an additional three in late April after last month’s Patch Tuesday, represented in these types: Missing Authorization Checks (the most common type of vulnerability in SAP software), Information Disclosure, Cross-Site Scripting (XSS) and Privilege Escalation.” adds Onapsis.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SAP Security Patch Day for May 2019)

[adrotate banner=”5″]

[adrotate banner=”13″]