SAP Patches Critical CRM, S/4HANA, NetWeaver Vulnerabilities

This month, SAP released seven new security notes that resolve high-severity security defects in NetWeaver, Supply Chain Management, Solution Tools Plug-In (ST-PI), BusinessObjects, and Commerce Cloud.These include an XML signature wrapping issue in NetWeaver that could allow attackers to send signed XML documents that, once accepted, could expose sensitive user information and could potentially lead to system usage disruption.The remaining high-severity vulnerabilities resolved this month include a missing authorization check, a race condition, an open redirect, and three denial-of-service (DoS) issues.The other security notes resolve medium- and low-severity flaws in NetWeaver, BusinessObjects, Document Management System, Business Server Pages Application, Commerce Cloud, Business One, Business Workflow, ABAP-based SAP systems, Fiori App, Support Tools Plug-In, S/4HANA, and Strategic Enterprise Management.SAP makes no mention of any of these vulnerabilities being exploited in the wild, but users are advised to update their deployments as soon as possible.Related:BeyondTrust Patches Critical RCE VulnerabilityRelated:Recent SolarWinds Flaws Potentially Exploited as Zero-DaysRelated:APTs, Cybercriminals Widely Exploiting WinRAR VulnerabilityRelated:High-Severity Remote Code Execution Vulnerability Patched in OpenSSL

These include an XML signature wrapping issue in NetWeaver that could allow attackers to send signed XML documents that, once accepted, could expose sensitive user information and could potentially lead to system usage disruption.The remaining high-severity vulnerabilities resolved this month include a missing authorization check, a race condition, an open redirect, and three denial-of-service (DoS) issues.The other security notes resolve medium- and low-severity flaws in NetWeaver, BusinessObjects, Document Management System, Business Server Pages Application, Commerce Cloud, Business One, Business Workflow, ABAP-based SAP systems, Fiori App, Support Tools Plug-In, S/4HANA, and Strategic Enterprise Management.SAP makes no mention of any of these vulnerabilities being exploited in the wild, but users are advised to update their deployments as soon as possible.Related:BeyondTrust Patches Critical RCE VulnerabilityRelated:Recent SolarWinds Flaws Potentially Exploited as Zero-DaysRelated:APTs, Cybercriminals Widely Exploiting WinRAR VulnerabilityRelated:High-Severity Remote Code Execution Vulnerability Patched in OpenSSL

The remaining high-severity vulnerabilities resolved this month include a missing authorization check, a race condition, an open redirect, and three denial-of-service (DoS) issues.The other security notes resolve medium- and low-severity flaws in NetWeaver, BusinessObjects, Document Management System, Business Server Pages Application, Commerce Cloud, Business One, Business Workflow, ABAP-based SAP systems, Fiori App, Support Tools Plug-In, S/4HANA, and Strategic Enterprise Management.SAP makes no mention of any of these vulnerabilities being exploited in the wild, but users are advised to update their deployments as soon as possible.Related:BeyondTrust Patches Critical RCE VulnerabilityRelated:Recent SolarWinds Flaws Potentially Exploited as Zero-DaysRelated:APTs, Cybercriminals Widely Exploiting WinRAR VulnerabilityRelated:High-Severity Remote Code Execution Vulnerability Patched in OpenSSL

The other security notes resolve medium- and low-severity flaws in NetWeaver, BusinessObjects, Document Management System, Business Server Pages Application, Commerce Cloud, Business One, Business Workflow, ABAP-based SAP systems, Fiori App, Support Tools Plug-In, S/4HANA, and Strategic Enterprise Management.SAP makes no mention of any of these vulnerabilities being exploited in the wild, but users are advised to update their deployments as soon as possible.Related:BeyondTrust Patches Critical RCE VulnerabilityRelated:Recent SolarWinds Flaws Potentially Exploited as Zero-DaysRelated:APTs, Cybercriminals Widely Exploiting WinRAR VulnerabilityRelated:High-Severity Remote Code Execution Vulnerability Patched in OpenSSL

SAP makes no mention of any of these vulnerabilities being exploited in the wild, but users are advised to update their deployments as soon as possible.Related:BeyondTrust Patches Critical RCE VulnerabilityRelated:Recent SolarWinds Flaws Potentially Exploited as Zero-DaysRelated:APTs, Cybercriminals Widely Exploiting WinRAR VulnerabilityRelated:High-Severity Remote Code Execution Vulnerability Patched in OpenSSL

Related:BeyondTrust Patches Critical RCE VulnerabilityRelated:Recent SolarWinds Flaws Potentially Exploited as Zero-DaysRelated:APTs, Cybercriminals Widely Exploiting WinRAR VulnerabilityRelated:High-Severity Remote Code Execution Vulnerability Patched in OpenSSL

Related:Recent SolarWinds Flaws Potentially Exploited as Zero-DaysRelated:APTs, Cybercriminals Widely Exploiting WinRAR VulnerabilityRelated:High-Severity Remote Code Execution Vulnerability Patched in OpenSSL

Related:APTs, Cybercriminals Widely Exploiting WinRAR VulnerabilityRelated:High-Severity Remote Code Execution Vulnerability Patched in OpenSSL

Related:High-Severity Remote Code Execution Vulnerability Patched in OpenSSL

Ionut Arghire is an international correspondent for SecurityWeek.

Source: SecurityWeek