Security Affairs
U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

SAP September 2019 Security Patch Day addresses four Security Notes rated as Hot News

SAP released the September 2019 Security Patch that addressed four Security Notes rated as Hot News by the company. SAP released the September 2019 Security Patch that addressed four Security Notes rated as Hot News by the company, but only one of them is new. SAP released 16 new or updated Security Notes, the overall […]

SAP

SAP released the September 2019 Security Patch that addressed four Security Notes rated as Hot News by the company.

SAP released the September 2019 Security Patch that addressed four Security Notes rated as Hot News by the company, but only one of them is new.

SAP released 16 new or updated Security Notes, the overall number of Security Notes published this month is lower than in August.

The new Security Note addresses a code injection vulnerability in SAP NetWeaver AS for Java (Web Container). The issue, tracked as CVE-2019-0355, received a CVSS score of 9.1.

The vulnerability affects the SAP default implementation of the HTTP PUT method, an attacker could exploit the flaw to bypass the input validation check.

“SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application.” reads the security advisory.

An attacker could upload dynamic web content and take over the application, possible impacts are the unauthorized execution of commands, the disclosure of sensitive information, trigger a Denial of Service condition.

Two other Hot News notes update patches released in the past, they address an OS command injection vulnerability in SAP Diagnostics Agent (CVE-2019-0330).

“A SolMan admin can abuse the Diagnostic Agent (SMDAgent) bug and gain access to any SAP system connected to the SolMan system.” reads the analysis published security firm Onapsis. “Even though many SolMan admins have admin privileges in other SAP systems, certain scenarios may allow an escalation of privileges to those who don’t,”.

The last Hot News note released in September 2019 Security Patch updates a patch released in April 2018 and addresses security issued that affect the browser control Google Chromium delivered with SAP Business Client.

SAP also released a set of security patches after the second Tuesday of last month and before the second Tuesday of this month.

The full list of Security Notes released by SAP is available here:

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – September 2019 Security Patch, security)

[adrotate banner=”5″]

[adrotate banner=”13″]