SAP October 2018 set of patches fixes first Hot News security note for SAP BusinessObjects in 5 years

October 11, 2018

SAP released its October 2018 set of patches, it includes the first Hot News security note for SAP BusinessObjects in over five years.

SAP released its October 2018 set of patches that included 11 security notes, the company also released 4 updates to previously released notes.

The patches include 15 notes, 2 rated Hot News and one of which is the first note for SAP BusinessObjects in over five years.

“SAP BusinessObjects BI Suite has an Information Disclosure vulnerability (CVSS Base Score: 9.8 CVE-2018-2471). An attacker can use it to reveal additional information (system data, debugging information, etc.) that will help to learn about a system and plan other attacks.” reads a blog post published by ERPScan.

The remaining notes include 4 High priority and 9 Medium priority, in October Information Disclosure is the largest group in terms of the number of vulnerabilities.

businessObjects sap-notes-october-2018-types-1

The most important note (CVSS score of 9.8) addresses an information disclosure issue in the SAP BusinessObjects Business Intelligence Suite client tracked as CVE-2018-2471.

“Under certain conditions SAP BusinessObjects Business Intelligence Platform 4.10 and 4.20 allows an attacker to access information which would otherwise be restricted.” reads the security advisory.

The second Hot News in the October 2018 set of patches is an update to Security Note released on April 2018, it provides security updates for the Chromium browser delivered with SAP Business Client.

The High priority flaws addressed by SAP in October are:

2699726 [CVE-2018-2475Missing network isolation in Gardener 
Product – project “Gardener”; Versions – 0.12.2
High 8.5
2674215 Denial of service (DOS) in OPC UA applications of SAP Plant Connectivity 
Related CVEs – CVE-2018-12585CVE-2018-12086
Product – SAP Plant Connectivity; Versions – 15.0, 15.1, 15.2
High 8.2
2392860 Update to Security Note released on February 2017 Patch Day:
Leveraging privileges by customer transaction code

Product – SAP Records Management; Versions – 7.0 to 7.02, 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51
High 8.0
2681207 Update to Security Note released on September 2018 Patch Day: 
[CVE-2018-2465Missing XML Validation vulnerability in SAP HANA, Extended Application Services classic model
Product – SAP HANA; Versions – 1.0, 2.0
High 7.5

Experts from security firm ERPScan noticed that chaining the missing network isolation in Gardener theoretically can lead to compromise of clusters in the application context

The others SAP security notes address vulnerabilities in in Netweaver Application Server for ABAP (CVE-2018-2470), BusinessObjects (CVE-2018-2472, CVE-2018-2467), Data Services (CVE-2018-2466), Plant Connectivity (CVE-2017-12069), Adaptive Server Enterprise (CVE-2018-2469, CVE-2018-2468), and Fiori (CVE-2018-2474).

This patch update also addresses 5 Support Package Notes.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(Security Affairs – BusinessObjects, SAP)

The post SAP October 2018 set of patches fixes first Hot News security note for SAP BusinessObjects in 5 years appeared first on Security Affairs.

Source: Security affairs

Da Feed

Author: Da Feed

The Charles Tendell Show aggregates the best content from all over the web. Check out the latest in tech, politics, and more at Get your own website added to the feed by contacting us today!

Comments are closed.

© 2016 The Charles Tendell Show