SAP has released the monthly critical patch update for April 2015. This patch update closes a lot of vulnerabilities in SAP products. Most of them are potential information disclosure vulnerabilities.

The most critical issues found by other researchers

Some of our readers and clients asked us to categorize the most critical issues to patch them first. So, the most critical issues of this update can be patched by the following SAP Notes:

2067830: SAP Web Dynpro Java has an Implementation Flaw (CVSS Base Score: 5.8). An attacker can upload a malicious file to a system when the virus scanner is not configured correctly. It is recommended to install this SAP Security Note to prevent risks.

2094830: SAP Sybase Unwired Platform Online Data Proxy has an Information Disclosure vulnerablity (CVSS Base Score: 4.7). An attacker can use Information Disclosure to learn additional information (system data, debugging information, etc.) which will help them plan other attacks. It is recommended to install this SAP Security Note to prevent risks.

2084037: SAP NetWeaver RFC SDK has an Information Disclosure vulnerability (CVSS Base Score: 4.3). An attacker can use Information Disclosure to learn additional information (system data, debugging information, etc.) which will help them plan other attacks. It is recommended to install this SAP Security Note to prevent risks.

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Samuli Kaski

    While I and I assume many others appreciate your efforts in increasing awareness of SAP security issues, I would ask you to refrain from soliciting your own product/offering while doing it, it is against the SCN Rules of Engagement.

    (0) 
    1. Alexander Polyakov Post author

      Hello Samuli, i totally agree with you and apologize for this, initially it was a copy paste from our website, and i will take care to delete last sentence before posting it here.

      (0) 

Leave a Reply